+ This analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema' +severity: Medium +status: Available +requiredDataConnectors: + - connectorId: AWSS3 + dataTypes: + - AWSVPCFlow + - connectorId: MicrosoftThreatProtection + dataTypes: + - DeviceNetworkEvents + - connectorId: SecurityEvents + dataTypes: + - SecurityEvent + - connectorId: WindowsForwardedEvents + dataTypes: + - WindowsEvent + - connectorId: Zscaler + dataTypes: + - CommonSecurityLog + - connectorId: MicrosoftSysmonForLinux + dataTypes: + - Syslog + - connectorId: PaloAltoNetworks + dataTypes: + - CommonSecurityLog + - connectorId: AzureMonitor(VMInsights) + dataTypes: + - VMConnection + - connectorId: AzureFirewall + dataTypes: + - AzureDiagnostics + - connectorId: AzureNSG + dataTypes: + - AzureDiagnostics + - connectorId: CiscoASA + dataTypes: + - CommonSecurityLog + - connectorId: Corelight + dataTypes: + - Corelight_CL + - connectorId: AIVectraStream + dataTypes: + - VectraStream + - connectorId: CheckPoint + dataTypes: + - CommonSecurityLog + - connectorId: Fortinet + dataTypes: + - CommonSecurityLog + - connectorId: MicrosoftDefenderThreatIntelligence + dataTypes: + - ThreatIntelligenceIndicator + - connectorId: CiscoMeraki + dataTypes: + - Syslog + - CiscoMerakiNativePoller + - connectorId: GreyNoise2SentinelAPI + dataTypes: + - ThreatIntelligenceIndicator + +queryFrequency: 1h +queryPeriod: 14d +triggerOperator: gt +triggerThreshold: 0 +tactics: + - Impact +query: | + let dt_lookBack = 1h; + let ioc_lookBack = 14d; + let IP_TI = materialize ( + ThreatIntelligenceIndicator + | where TimeGenerated >= ago(ioc_lookBack) + | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId + | where Active == true and ExpirationDateTime > now() + | where SourceSystem == 'GreyNoise' + | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,"NO_IP") + | where TI_ipEntity != "NO_IP" + ); + IP_TI + // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated + | join kind=innerunique + ( + _Im_NetworkSession (starttime=ago(dt_lookBack)) + | where isnotempty(SrcIpAddr) + | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated) by SrcIpAddr, DstIpAddr, Dvc, EventProduct, EventVendor + | lookup (IP_TI | project TI_ipEntity, Active) on $left.SrcIpAddr == $right.TI_ipEntity + | project-rename SrcMatch = Active + | lookup (IP_TI | project TI_ipEntity, Active) on $left.DstIpAddr == $right.TI_ipEntity + | project-rename DstMatch = Active + | where SrcMatch or DstMatch + | extend + IoCIP = iff(SrcMatch, SrcIpAddr, DstIpAddr), + IoCDirection = iff(SrcMatch, "Source", "Destination") + )on $left.TI_ipEntity == $right.IoCIP + | where imNWS_mintime < ExpirationDateTime + | project imNWS_mintime, imNWS_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SrcIpAddr, DstIpAddr, IoCDirection, IoCIP, Dvc, EventVendor, EventProduct +entityMappings: + - entityType: IP + fieldMappings: + - identifier: Address + columnName: IoCIP + +customDetails: + EventStartTime: imNWS_mintime + EventEndTime: imNWS_maxtime + IoCDescription: Description + ActivityGroupNames: ActivityGroupNames + IndicatorId: IndicatorId + ThreatType: ThreatType + IoCExpirationTime: ExpirationDateTime + IoCConfidenceScore: ConfidenceScore + IoCIPDirection: IoCDirection + +alertDetailsOverride: + alertDisplayNameFormat: A network session {{IoCDirection}} address {{IoCIP}} matched an IoC. + alertDescriptionFormat: The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator. + +tags: + - Schema: ASIMNetworkSession + SchemaVersion: 0.2.4 diff --git a/Solutions/GreyNoiseThreatIntelligence/Data Connectors/.gitignore b/Solutions/GreyNoiseThreatIntelligence/Data Connectors/.gitignore new file mode 100644 index 00000000000..7685fc4ac83 --- /dev/null +++ b/Solutions/GreyNoiseThreatIntelligence/Data Connectors/.gitignore @@ -0,0 +1,135 @@ +# Byte-compiled / optimized / DLL files +__pycache__/ +*.py[cod] +*$py.class + +# C extensions +*.so + +# Distribution / packaging +.Python +build/ +develop-eggs/ +dist/ +downloads/ +eggs/ +.eggs/ +lib/ +lib64/ +parts/ +sdist/ +var/ +wheels/ +pip-wheel-metadata/ +share/python-wheels/ +*.egg-info/ +.installed.cfg +*.egg +MANIFEST + +# PyInstaller +# Usually these files are written by a python script from a template +# before PyInstaller builds the exe, so as to inject date/other infos into it. +*.manifest +*.spec + +# Installer logs +pip-log.txt +pip-delete-this-directory.txt + +# Unit test / coverage reports +htmlcov/ +.tox/ +.nox/ +.coverage +.coverage.* +.cache +nosetests.xml +coverage.xml +*.cover +.hypothesis/ +.pytest_cache/ + +# Translations +*.mo +*.pot + +# Django stuff: +*.log +local_settings.py +db.sqlite3 + +# Flask stuff: +instance/ +.webassets-cache + +# Scrapy stuff: +.scrapy + +# Sphinx documentation +docs/_build/ + +# PyBuilder +target/ + +# Jupyter Notebook +.ipynb_checkpoints + +# IPython +profile_default/ +ipython_config.py + +# pyenv +.python-version + +# pipenv +# According to pypa/pipenv#598, it is recommended to include Pipfile.lock in version control. +# However, in case of collaboration, if having platform-specific dependencies or dependencies +# having no cross-platform support, pipenv may install dependencies that don’t work, or not +# install all needed dependencies. +#Pipfile.lock + +# celery beat schedule file +celerybeat-schedule + +# SageMath parsed files +*.sage.py + +# Environments +.env +.venv +env/ +venv/ +ENV/ +env.bak/ +venv.bak/ + +# Spyder project settings +.spyderproject +.spyproject + +# Rope project settings +.ropeproject + +# mkdocs documentation +/site + +# mypy +.mypy_cache/ +.dmypy.json +dmypy.json + +# Pyre type checker +.pyre/ + +# Azure Functions artifacts +bin +obj +appsettings.json +local.settings.json + +# Azurite artifacts +__blobstorage__ +__queuestorage__ +__azurite_db*__.json +.python_packages \ No newline at end of file diff --git a/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConn.zip b/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConn.zip index 3b1cd87e9e1..46cdc1b1578 100644 Binary files a/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConn.zip and b/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConn.zip differ diff --git a/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/function.json b/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/function.json new file mode 100644 index 00000000000..4944e0385a6 --- /dev/null +++ b/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/function.json @@ -0,0 +1,11 @@ +{ + "scriptFile": "main.py", + "bindings": [ + { + "name": "mytimer", + "type": "timerTrigger", + "direction": "in", + "schedule": "0 0 0 */0 * *" + } + ] +} diff --git a/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/main.py b/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/main.py new file mode 100644 index 00000000000..773a30e1d41 --- /dev/null +++ b/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/main.py @@ -0,0 +1,407 @@ +import datetime +import json +import logging +import os +import sys +import time +from collections import namedtuple + +import azure.functions as func +import msal +import requests +from greynoise import GreyNoise +from requests.adapters import HTTPAdapter +from requests_ratelimiter import LimiterSession +from urllib3.util import Retry + +from .stixGen import GreyNoiseStixGenerator + +REQUIRED_ENVIRONMENT_VARIABLES = [ + "GREYNOISE_KEY", + "GREYNOISE_LIMIT", + "CLIENT_ID", + "CLIENT_SECRET", + "TENANT_ID", + "WORKSPACE_ID", + ] + +GreyNoiseSetup = namedtuple("GreyNoiseSetup", ["api_key", "query", "tries", "size"]) +MSALSetup = namedtuple("MSALSetup", ["tenant_id", "client_id", "client_secret", "workspace_id"]) +class GreuNoiseSentinelUpdater(object): + """Simple wrapper class to handle consuming IPs""" + + def __init__(self, greynoise_setup: GreyNoiseSetup, + msal_setup: MSALSetup): + super(GreuNoiseSentinelUpdater, self).__init__() + + self.greynoise_query = greynoise_setup.query + self.greynoise_size = greynoise_setup.size + self.greynoise_tries = greynoise_setup.tries + self.msal_tenant_id = msal_setup.tenant_id + self.msal_client_id = msal_setup.client_id + self.msal_client_secret = msal_setup.client_secret + self.msal_workspace_id = msal_setup.workspace_id + + # Setup RateLimiter and Retry Adapter + self.limiter_session = LimiterSession( + per_minute=90, + limit_statuses=[429, 503], + ) + retry_strategy = Retry( + total=3, + backoff_factor=1, + status_forcelist=[429, 503], + allowed_methods={'POST'}, + ) + self.limiter_session.mount("https://", HTTPAdapter(max_retries=retry_strategy)) + + # Setup GreyNoise Session + self.session = GreyNoise( + api_key=greynoise_setup.api_key, + integration_name="azuresentinel-consumer-v1.0", + ) + self.gn_stix_generator = GreyNoiseStixGenerator() + + + def get_token(self): + """Gets an access token to access office service. + Args: + tenant_id (str): the tenant id + client_id (str): the client id + client_secret (str): the secret id for the client + Returns: + A token access key. + """ + logging.info("Getting token for tenant: {0}".format(self.msal_tenant_id)) + try: + context = msal.ConfidentialClientApplication(self.msal_client_id, + authority='https://login.microsofto' + 'nline.com/' + self.msal_tenant_id, + client_credential=self.msal_client_secret) + token, token_ttl = self.acquire_token(context) + # Set expiry of MSAL token to 55 minutes to avoid token expiry during upload + msal_token_expiry = datetime.datetime.now() + datetime.timedelta(seconds=token_ttl - 300) + return token, msal_token_expiry + except requests.exceptions.RequestException as e: + logging.info("Error getting token for tenant: {0}".format(self.msal_tenant_id)) + raise e + + + def acquire_token(self, context): + """Gets an access token to access ms graph TI Upload service. + Args: + context: the authentication context + Returns: + A token access key. + """ + scope = "https://management.azure.com/.default" + + try: + result = context.acquire_token_silent([scope], + account=None) + if not result: + result = context.acquire_token_for_client(scopes=[ + scope]) + + if 'access_token' in result: + bearer_token = result['access_token'] + token_expiry_seconds = result['expires_in'] + return bearer_token, token_expiry_seconds + else: + error_code = result.get("error") + error_message = result.get("error_description") + logging.info("Error acquiring token for tenant with code: {0}".format(error_code)) + logging.info(error_message) + raise ValueError(error_message) + + except requests.exceptions.RequestException as e: + logging.info("Error acquiring token for tenant.") + raise e + + def upload_indicators_to_sentinel(self, token: str, indicators: list): + """Uploads a list of indicators to Azure Sentinel Threat Intelligence + Endpoint Docs: # https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api#request-body + + API Limits are 100 indicators per request and 100 requests per minute. + Args: + token (str): the access token + indicators (list): the list of indicators to upload + Returns: + A response object.""" + status_retry = 0 + url = "https://sentinelus.azure-api.net/{0}/threatintelligence:upload-indicators".format(self.msal_workspace_id) + headers = { + 'Content-Type': 'application/json', + 'Authorization': 'Bearer {0}'.format(token) + } + params = { + 'api-version': '2022-07-01' + } + payload = { + 'SourceSystem': 'GreyNoise', + 'Value': indicators + } + + try: + response = self.limiter_session.request("POST", url, + headers=headers, + params=params, + json=payload, + timeout=5, + ) + response.raise_for_status() + except requests.HTTPError as e: + status_retry += 1 + if e.response.status_code == (429 or 503): + logging.error("HTTP: " + int(e.response.status_code)) + if status_retry > 3: + logging.error("Too many upload indicators API retries, exiting.") + sys.exit(1) + sleep_for = int(e.response.message.split()[7]) + 5 if e.response.message else 60 + logging.info("API Rate limit exceeded (HTTP 429) or Server Error (HTTP 503), waiting {0} seconds...".format(sleep_for)) + time.sleep(sleep_for) + logging.info("Retrying upload...") + self.upload_indicators_to_sentinel(token, indicators) + elif e.response.status_code == 401: + logging.error("HTTP: " + int(e.response.status_code)) + logging.error('Did you add the Azure Sentinel Contributor role to your service principal?') + logging.error('More info here: https://learn.microsoft.com/en-us/azure/sentinel/upload-indicators-api#acquire-an-access-token') + logging.error(e.response.text) + elif e.response.status_code: + logging.error("HTTP: " + int(e.response.status_code)) + logging.error(e.response.text) + logging.error('Cannot upload indicators to Azure Sentinel, exiting.') + sys.exit(1) + + # Check for submission errors + if response.json().get('errors') != []: + logging.warning('Nonfatal error in submitting indicator. While a field failed, \n' \ + 'the rest of the indicator failed and we can continue.') + logging.warning('Error: ' + json.loads(response.json()).get('error')) + + return response.json() + + def chunks(self, l: list, chunk_size: int): + """Yield successive n-sized chunks from list.""" + for i in range(0, len(l), chunk_size): + yield l[i:i + chunk_size] + + + def consume_ips(self): + logging.info( + "Starting consumption of GreyNoise indicators with query %s" + % (self.greynoise_query) + ) + total_addresses = 0 # counter for total IPs consumed + payload_size = None # total IPs available from query + tries = int(self.greynoise_tries) + scroll = "" # scroll token for pagination + complete = False + + # MS Graph TI Upload API limits are 100 indicators per request and 100 requests per minute. + # Get MSAL token + token, msal_expiry_time = self.get_token() + if token: + logging.info("MSAL token obtained") + + while not complete: + if datetime.datetime.now() > msal_expiry_time: + logging.info("MSAL token expiring soon, getting new token") + token, msal_expiry_time = self.get_token() + if token: + logging.info("MSAL token obtained") + try: + if self.greynoise_size != 0 and self.greynoise_size<= 2000: + payload = self.session.query( + query=self.greynoise_query, + size=self.greynoise_size, + scroll=scroll, + ) + else: + payload = self.session.query( + query=self.greynoise_query, + scroll=scroll, + size=2000 + ) + + # this protects from bad / invalid queries + # and exits out before proceeding + if payload["count"] == 0: + logging.info("GreyNoise Query return no results, exiting") + sys.exit(1) + + # Capture the total number of indicators available + elif payload["count"] and payload_size is None: + payload_size = int(payload["count"]) + logging.info("Total Indicators found: %s results" % payload_size) + + # Loop to generate STIX objects and upload to Sentinel + stix_objects = [] + counter = 0 + chunk_size = 100 # MS Graph TI Upload API limits are 100 indicators per request and 100 requests per minute. + for batch in self.chunks(payload["data"], chunk_size): + for gn_object in batch: + stix_object = self.gn_stix_generator.generate_indicator(gn_object) + expected_chunk_size = len(batch) + stix_objects.append(stix_object) + counter += 1 + if counter == expected_chunk_size: + # send batch to sentinel + self.upload_indicators_to_sentinel(token, stix_objects) + # reset counter and stix_objects + counter = 0 + stix_objects = [] + # logging.info("Sent 100 GreyNoise indicators to Sentinel" ) + + # the scroll is for pagination but does not always exist because + # we have consumed all the IPs + scroll = payload.get("scroll") + complete = payload["complete"] + + addresses = len(payload["data"]) + total_addresses += addresses + + logging.info( + "Sent %s GreyNoise indicators to Sentinel for a total of %s addresses" + % (addresses, total_addresses) + ) + + # this is a hacky workaround to deal with an edge case on the API where if + # you limit the results on a query, the complete flag doesn't flip to + # true correctly + if ( + self.greynoise_size == 0 + # and self.greynoise_size < int(payload["count"]) # noqa: W503 + and total_addresses >= payload_size # noqa: W503 + ): + break + elif ( + self.greynoise_size != 0 + and self.greynoise_size < int(payload["count"]) # noqa: W503 + and self.greynoise_size <= total_addresses # noqa: W503 + ): + break + + except Exception as reqErr: + logging.error("Uploading IPs failed: %s" % str(reqErr)) + if tries != 0: + tries -= 1 + logging.error("Trying again in 10 seconds using same scroll...") + time.sleep(10) + else: + logging.error( + "Exiting program. Max tries met. With time str%s and last scroll: %s" + % (str(time), scroll) + ) + sys.exit(3) + + logging.info( + "Ingest process completed. Inserted %s Indicators into Microsoft Sentinel Threat Intelligence." + % total_addresses + ) + + +def checkEnvironmentVariables(env): + # the following checks will ensure required environment variables are set + # and any others will have some type of defaulting + unset_environment_variables = [] + + for env_var in REQUIRED_ENVIRONMENT_VARIABLES: + if not env.get(env_var, False): + unset_environment_variables.append(env_var) + + if unset_environment_variables: + logging.error( + "The following required environment variables are unset: %s" + % str(unset_environment_variables) + ) + sys.exit(2) + +def build_query_string(env): + classifications = env.get("GREYNOISE_CLASSIFICATIONS", "malicious") + logging.info("Building query string for %s" % classifications) + + # a user can accidentally set the environment to an empty string + if len(classifications) == 0: + return '(classification:malicious)' + + classifications = classifications.split(",") + length_of_classifications = len(classifications) + + classification_string = "(" + for item in classifications: + length_of_classifications -= 1 + classification_string += "classification:" + item + if length_of_classifications > 0: + classification_string += " OR " + + classification_string += ")" + return classification_string + + +def main(mytimer: func.TimerRequest) -> None: + utc_timestamp = datetime.datetime.utcnow().replace( + tzinfo=datetime.timezone.utc).isoformat() + + if mytimer.past_due: + logging.info('The timer is past due!') + + env = os.environ.copy() + + checkEnvironmentVariables(env) + + # SET VARS + query_time = "1" + size = int(env.get("GREYNOISE_LIMIT", 0)) + + # our classifications are formatted for greynoise + classifications = build_query_string(env) + + + # obtain our query for greynoise + try: + query_time = int(query_time) + if query_time > 90 or query_time < 1: + logging.error("Time input is not a valid integer between 1 and 90") + sys.exit(1) + else: + if query_time == 1: + logging.info("Using default query time of 1 day") + else: + logging.info("Using custom query time of %s day(s)" % str(query_time)) + query_time = "last_seen:%sd" % query_time + except ValueError: + logging.error("Input for time is not valid") + sys.exit(1) + + # build our query + query = classifications + " " + query_time + + if size != "": + logging.info("Querying GreyNoise API") + try: + size = int(size) + if size == 0: + logging.info("No size limit provided, returning all indicators available") + elif size <= 1: + logging.info("Limiting results to %s" % str(size)) + + except ValueError: + logging.error("Input for size is not valid") + sys.exit(1) + else: + size = 0 + logging.info("No size limited provided, returning all indicators available") + + # set up everything required to pass into the updater + greynoise_setup = GreyNoiseSetup( + env.get("GREYNOISE_KEY"), query, env.get("GREYNOISE_MAX_TRIES", 3), size + ) + msal_setup = MSALSetup( + env.get("TENANT_ID"), env.get("CLIENT_ID"), env.get("CLIENT_SECRET"), env.get("WORKSPACE_ID") + ) + + g = GreuNoiseSentinelUpdater(greynoise_setup, msal_setup) + g.consume_ips() + + logging.info('Python timer trigger function ran at %s', utc_timestamp) diff --git a/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/readme.md b/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/readme.md new file mode 100644 index 00000000000..e8b7e887365 --- /dev/null +++ b/Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseAPISentinelConnector/readme.md @@ -0,0 +1,11 @@ +# TimerTrigger - Python + +The `TimerTrigger` makes it incredibly easy to have your functions executed on a schedule. This sample demonstrates a simple use case of calling your function every 5 minutes. + +## How it works + +For a `TimerTrigger` to work, you provide a schedule in the form of a [cron expression](https://en.wikipedia.org/wiki/Cron#CRON_expression)(See the link for full details). A cron expression is a string with 6 separate expressions which represent a given schedule via patterns. The pattern we use to represent every 5 minutes is `0 */5 * * * *`. This, in plain text, means: "When seconds is equal to 0, minutes is divisible by 5, for any hour, day of the month, month, day of the week, or year". + +## Learn more + +
![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/greynoise_logomark_black.svg\")
",
+ "Description": "The [GreyNoise Threat Intelligence](https://www.greynoise.io/) solution for Microsoft Sentinel provides context to IP addresses seen in your environment by querying the GreyNoise API.GreyNoise collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. We provides near real time, actionable threat intelligence from our proprietary network of over 3,100 sensors running worldwide. This unique perspective helps analysts spend less time on irrelevant or harmless activity, and more time on targeted and emerging threats. \n Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GreyNoiseThreatIntelligence/ReleaseNotes.md)\r \n [Learn More about GreyNoise Threat Intelligence](https://www.greynoise.io/) | [GreyNoise Docs](https://docs.greynoise.io)", + "WorkbookDescription": [], + "Workbooks": ["Solutions/GreyNoiseThreatIntelligence/Workbooks/GreyNoiseOverview.json"], + "WorkbookBladeDescription": "", + "AnalyticalRuleBladeDescription": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view.", + "HuntingQueryBladeDescription": "", + "PlaybooksBladeDescription": "", + "Analytic Rules": [ + "Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_DnsEvents.yaml", + "Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_CustomSecurityLog.yaml", + "Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_imNetworkSession.yaml", + "Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_OfficeActivity.yaml", + "Solutions/GreyNoiseThreatIntelligence/Analytic Rules/GreyNoise_IPEntity_SigninLogs.yaml" + ], + "Playbooks": [], + "PlaybookDescription": [], + "Parsers": [], + "SavedSearches": [], + "Hunting Queries": [], + "Data Connectors": ["Solutions/GreyNoiseThreatIntelligence/Data Connectors/GreyNoiseConnector_UploadIndicatorsAPI.json"], + "Watchlists": [], + "WatchlistDescription": [], + "BasePath": "/Users/punkrokk/repos/azureSentinelDev/Azure-Sentinel", + "Version": "3.0.0", + "Metadata": "SolutionMetadata.json", + "TemplateSpec": true, + "Is1PConnector": false + } + \ No newline at end of file diff --git a/Solutions/GreyNoiseThreatIntelligence/Package/3.0.0.zip b/Solutions/GreyNoiseThreatIntelligence/Package/3.0.0.zip new file mode 100644 index 00000000000..2a5bd71bbbd Binary files /dev/null and b/Solutions/GreyNoiseThreatIntelligence/Package/3.0.0.zip differ diff --git a/Solutions/GreyNoiseThreatIntelligence/Package/createUiDefinition.json b/Solutions/GreyNoiseThreatIntelligence/Package/createUiDefinition.json new file mode 100644 index 00000000000..d425de5e505 --- /dev/null +++ b/Solutions/GreyNoiseThreatIntelligence/Package/createUiDefinition.json @@ -0,0 +1,225 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#", + "handler": "Microsoft.Azure.CreateUIDef", + "version": "0.1.2-preview", + "parameters": { + "config": { + "isWizard": false, + "basics": { + "description": "
\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/GreyNoiseThreatIntelligence/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [GreyNoise Threat Intelligence](https://www.greynoise.io/) solution for Microsoft Sentinel provides context to IP addresses seen in your environment by querying the GreyNoise API.GreyNoise collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. We provides near real time, actionable threat intelligence from our proprietary network of over 3,100 sensors running worldwide. This unique perspective helps analysts spend less time on irrelevant or harmless activity, and more time on targeted and emerging threats. \n Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GreyNoiseThreatIntelligence/ReleaseNotes.md)\r \n [Learn More about GreyNoise Threat Intelligence](https://www.greynoise.io/) | [GreyNoise Docs](https://docs.greynoise.io)\n\n**Data Connectors:** 1, **Workbooks:** 1, **Analytic Rules:** 5\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "subscription": { + "resourceProviders": [ + "Microsoft.OperationsManagement/solutions", + "Microsoft.OperationalInsights/workspaces/providers/alertRules", + "Microsoft.Insights/workbooks", + "Microsoft.Logic/workflows" + ] + }, + "location": { + "metadata": { + "hidden": "Hiding location, we get it from the log analytics workspace" + }, + "visible": false + }, + "resourceGroup": { + "allowExisting": true + } + } + }, + "basics": [ + { + "name": "getLAWorkspace", + "type": "Microsoft.Solutions.ArmApiControl", + "toolTip": "This filters by workspaces that exist in the Resource Group selected", + "condition": "[greater(length(resourceGroup().name),0)]", + "request": { + "method": "GET", + "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]" + } + }, + { + "name": "workspace", + "type": "Microsoft.Common.DropDown", + "label": "Workspace", + "placeholder": "Select a workspace", + "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected", + "constraints": { + "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]", + "required": true + }, + "visible": true + } + ], + "steps": [ + { + "name": "dataconnectors", + "label": "Data Connectors", + "bladeTitle": "Data Connectors", + "elements": [ + { + "name": "dataconnectors1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This Solution installs the data connector for GreyNoiseThreatIntelligence. You can get GreyNoiseThreatIntelligence custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + } + }, + { + "name": "dataconnectors-link2", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more about connecting data sources", + "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" + } + } + } + ] + }, + { + "name": "workbooks", + "label": "Workbooks", + "subLabel": { + "preValidation": "Configure the workbooks", + "postValidation": "Done" + }, + "bladeTitle": "Workbooks", + "elements": [ + { + "name": "workbooks-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs workbook(s) to help you gain insights into the telemetry collected in Microsoft Sentinel. After installing the solution, start using the workbook in Manage solution view." + } + }, + { + "name": "workbooks-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" + } + } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "GreyNoise Intelligence Threat Indicators", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This workbook provides visualization of GreyNoise Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence." + } + } + ] + } + ] + }, + { + "name": "analytics", + "label": "Analytics", + "subLabel": { + "preValidation": "Configure the analytics", + "postValidation": "Done" + }, + "bladeTitle": "Analytics", + "elements": [ + { + "name": "analytics-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This solution installs the following analytic rule templates. After installing the solution, create and enable analytic rules in Manage solution view." + } + }, + { + "name": "analytics-link", + "type": "Microsoft.Common.TextBlock", + "options": { + "link": { + "label": "Learn more", + "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-detect-threats-custom?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef" + } + } + }, + { + "name": "analytic1", + "type": "Microsoft.Common.Section", + "label": "GreyNoise TI Map IP Entity to DnsEvents", + "elements": [ + { + "name": "analytic1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query maps any IP indicators of compromise (IOCs) from GreyNoise Threat Intelligence (TI), by searching for matches in DnsEvents." + } + } + ] + }, + { + "name": "analytic2", + "type": "Microsoft.Common.Section", + "label": "GreyNoise TI Map IP Entity to CommonSecurityLog", + "elements": [ + { + "name": "analytic2-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query maps GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog." + } + } + ] + }, + { + "name": "analytic3", + "type": "Microsoft.Common.Section", + "label": "GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema)", + "elements": [ + { + "name": "analytic3-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This rule identifies a match Network Sessions for which the source or destination IP address is a known GreyNoise IoC.
\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema" + } + } + ] + }, + { + "name": "analytic4", + "type": "Microsoft.Common.Section", + "label": "GreyNoise TI map IP entity to OfficeActivity", + "elements": [ + { + "name": "analytic4-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query maps any GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity." + } + } + ] + }, + { + "name": "analytic5", + "type": "Microsoft.Common.Section", + "label": "GreyNoise TI Map IP Entity to SigninLogs", + "elements": [ + { + "name": "analytic5-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This query maps any GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in SigninLogs." + } + } + ] + } + ] + } + ], + "outputs": { + "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]", + "location": "[location()]", + "workspace": "[basics('workspace')]" + } + } +} diff --git a/Solutions/GreyNoiseThreatIntelligence/Package/mainTemplate.json b/Solutions/GreyNoiseThreatIntelligence/Package/mainTemplate.json new file mode 100755 index 00000000000..4aac212b801 --- /dev/null +++ b/Solutions/GreyNoiseThreatIntelligence/Package/mainTemplate.json @@ -0,0 +1,1392 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "author": "JP Bourget jp@bluecycle.net", + "comments": "Solution template for GreyNoiseThreatIntelligence" + }, + "parameters": { + "location": { + "type": "string", + "minLength": 1, + "defaultValue": "[resourceGroup().location]", + "metadata": { + "description": "Not used, but needed to pass arm-ttk test `Location-Should-Not-Be-Hardcoded`. We instead use the `workspace-location` which is derived from the LA workspace" + } + }, + "workspace-location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "[concat('Region to deploy solution resources -- separate from location selection',parameters('location'))]" + } + }, + "workspace": { + "defaultValue": "", + "type": "string", + "metadata": { + "description": "Workspace name for Log Analytics where Microsoft Sentinel is setup" + } + }, + "workbook1-name": { + "type": "string", + "defaultValue": "GreyNoise Intelligence Threat Indicators", + "minLength": 1, + "metadata": { + "description": "Name for the workbook" + } + } + }, + "variables": { + "_solutionName": "GreyNoiseThreatIntelligence", + "_solutionVersion": "3.0.0", + "solutionId": "greynoiseintelligenceinc1681236078693.microsoft-sentinel-byol-greynoise", + "_solutionId": "[variables('solutionId')]", + "workbookVersion1": "1.0", + "workbookContentId1": "GreyNoiseIntellegenceOverviewWorkbook", + "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "analyticRuleVersion1": "1.0.0", + "analyticRulecontentId1": "ddf47b6f-870c-5712-a296-1383acb13c82", + "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", + "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", + "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", + "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", + "analyticRuleVersion2": "1.0.0", + "analyticRulecontentId2": "e50657d7-8bca-43ff-a647-d407fae440d6", + "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", + "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", + "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]", + "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]", + "analyticRuleVersion3": "1.0.0", + "analyticRulecontentId3": "536e8e5c-ce0e-575e-bcc9-aba8e7bf9316", + "_analyticRulecontentId3": "[variables('analyticRulecontentId3')]", + "analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]", + "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]", + "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]", + "analyticRuleVersion4": "1.0.0", + "analyticRulecontentId4": "c51628fe-999c-5150-9fd7-660fc4f58ed2", + "_analyticRulecontentId4": "[variables('analyticRulecontentId4')]", + "analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]", + "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]", + "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]", + "analyticRuleVersion5": "1.0.0", + "analyticRulecontentId5": "f6c76cc9-218c-5b76-9b82-8607f09ea1b4", + "_analyticRulecontentId5": "[variables('analyticRulecontentId5')]", + "analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]", + "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]", + "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]", + "uiConfigId1": "GreyNoise2SentinelAPI", + "_uiConfigId1": "[variables('uiConfigId1')]", + "dataConnectorContentId1": "GreyNoise2SentinelAPI", + "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", + "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", + "_dataConnectorId1": "[variables('dataConnectorId1')]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", + "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" + }, + "resources": [ + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "GreyNoiseOverviewWorkbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "This workbook provides visualization of GreyNoise Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"a4b4e975-fa7c-46a3-b669-850aacc88134\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"showDefault\":false},\"jsonData\":\"[\\r\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\r\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\r\\n]\"},{\"version\":\"KqlParameterItem/1.0\",\"name\":\"DefaultSubscription_Internal\",\"type\":1,\"isRequired\":true,\"query\":\"where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| take 1\\r\\n| project subscriptionId\",\"crossComponentResources\":[\"value::selected\"],\"isHiddenWhenLocked\":true,\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"id\":\"314d02bf-4691-43fa-af59-d67073c8b8fa\"},{\"id\":\"e6ded9a1-a83c-4762-938d-5bf8ff3d3d38\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Subscription\",\"type\":6,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"summarize by subscriptionId\\r\\n| project value = strcat(\\\"/subscriptions/\\\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)\",\"crossComponentResources\":[\"value::all\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"e3225ed0-6210-40a1-b2d0-66e42ffa71d6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Workspace\",\"type\":5,\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"resources\\r\\n| where type =~ 'microsoft.operationalinsights/workspaces'\\r\\n| order by name asc\\r\\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\\r\\n| mvexpand All limit 100\\r\\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)\",\"crossComponentResources\":[\"{Subscription}\"],\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"queryType\":1,\"resourceType\":\"microsoft.resourcegraph/resources\",\"value\":[\"value::all\"]},{\"id\":\"15b2c181-7397-43c1-900a-28e175ae8a6f\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":604800000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":604800000}],\"allowCustom\":true},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"Parameter Selectors\"},{\"type\":1,\"content\":{\"json\":\"# [GreyNoise Threat Intelligence](https://www.greynoise.io/)\\n---\\nGreyNoise collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. We provides near real time, actionable threat intelligence from our proprietary network of over 3,100 sensors running worldwide. This unique perspective helps analysts spend less time on irrelevant or harmless activity, and more time on targeted and emerging threats.
\\n\\nTired of dealing with brute force attempts, web crawlers, and other scanners filling up your logs and trying to break into your infrastructure? With GreyNoise’s Malicious, Benign and Unknown Indicators, you can prevent noisy scanners from hitting your perimeter, effectively shutting them out, and giving yourself time to patch when there is an emerging exploit. Find out more at https://www.greynoise.io/solutions/maximize-soc-efficiency\\n\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"79\",\"name\":\"Workbook Overview\"},{\"type\":1,\"content\":{\"json\":\" \"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"customWidth\":\"20\",\"name\":\"GreyNoise Logo\"},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"18c690d7-7cbd-46c1-b677-1f72692d40cd\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Ingestion\",\"subTarget\":\"Indicators\",\"preText\":\"Alert rules\",\"style\":\"link\"},{\"id\":\"f88dcf47-af98-4684-9de3-1ee5f48f68fc\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Indicators Search\",\"subTarget\":\"Observed\",\"style\":\"link\"}]},\"name\":\"Tabs link\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where SourceSystem == 'GreyNoise'\\r\\n// Select all indicators from the table\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 24h)\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=stacked \",\"size\":0,\"showAnalytics\":true,\"title\":\"Total GreyNoise Indicators Imported into Sentinel by Date\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where SourceSystem == 'GreyNoise'\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select all indicators from the table\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by translate(\\\"[]\\\\\\\"\\\", \\\"\\\", Tags) \\r\\n| render barchart kind=stacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active GreyNoise Indicators Imported into Sentinel by Tag\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\\r\\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \\\"IP\\\",\\r\\n iff(isnotempty(Url), \\\"URL\\\",\\r\\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \\\"Email\\\",\\r\\n iff(isnotempty(FileHashValue), \\\"File\\\",\\r\\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \\\"Domain\\\",\\r\\n \\\"Other\\\")))))\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by IndicatorType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Indicator Type\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where SourceSystem == 'GreyNoise'\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by ThreatType\\r\\n| order by CountOfIndicators desc \\r\\n| render barchart kind=unstacked\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active GreyNoise Indicators by Classification\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 7\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n// Select all indicators from the table\\r\\n| where TimeGenerated < now()\\r\\n// Select only indicators that have not expired\\r\\n and ExpirationDateTime > now()\\r\\n// Select only indicators that are marked active\\r\\n and Active == true\\r\\n// Select only the most recently ingested copy of an indicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n// Summarize and order the data, then render the chart\\r\\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\\r\\n| order by CountOfIndicators desc \\r\\n| render piechart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Active Indicators by Confidence Score\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"]},\"customWidth\":\"50\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let DomainQuery=view() { \\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(DomainName)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"DomainEntry\\\"\\r\\n};\\r\\nlet UrlQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(Url)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"UrlEntry\\\"\\r\\n};\\r\\nlet FileHashQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(FileHashValue)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"FileHashEntry\\\"\\r\\n};\\r\\nlet IPQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"IPEntry\\\"\\r\\n};\\r\\nlet EmailAddressQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSenderAddress)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailAddressEntry\\\"\\r\\n};\\r\\nlet EmailMessageQuery=view(){\\r\\nThreatIntelligenceIndicator\\r\\n| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n| where isnotempty(EmailSubject)\\r\\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\\r\\n| summarize count() by tostring(SourceSystemArray)\\r\\n| project SourceSystemArray, count_, EntryType=\\\"EmailMessageEntry\\\"\\r\\n};\\r\\nlet SingleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))==1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1 \\r\\n};\\r\\nlet MultipleSourceIndicators=view(){\\r\\n DomainQuery\\r\\n | union UrlQuery\\r\\n | union FileHashQuery\\r\\n | union IPQuery\\r\\n | union EmailAddressQuery\\r\\n | union EmailMessageQuery\\r\\n | where array_length(todynamic(SourceSystemArray))!=1\\r\\n | summarize sum(count_) by SourceSystemArray\\r\\n | extend counter=1\\r\\n};\\r\\nlet CountOfActiveIndicatorsBySource=view(){\\r\\n ThreatIntelligenceIndicator\\r\\n\\t| summarize arg_max(TimeGenerated, *) by IndicatorId\\r\\n | where ExpirationDateTime > now() and Active == true\\r\\n | summarize count() by SourceSystem\\r\\n | project SourceSystem, count_\\r\\n};\\r\\nSingleSourceIndicators\\r\\n| join kind=fullouter MultipleSourceIndicators on counter \\r\\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \\r\\n| order by SourceSystemArray\\r\\n| extend solitary_count=sum_count_\\r\\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\\r\\n| extend total_count = shared_count + solitary_count\\r\\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\\r\\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\\r\\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\\r\\n| order by unique_percentage desc\\r\\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\\r\\n\\r\\n\",\"size\":0,\"showAnalytics\":true,\"title\":\"Uniqueness of Threat Intelligence Sources\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"View\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"ActiveIndicators\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 12\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Indicators\"},\"name\":\"Indicators Ingestion\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"9aec751b-07bd-43ba-80b9-f711887dce45\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Indicator\",\"label\":\"Search Indicator in Events\",\"type\":1,\"value\":\"\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"Threat Research Parameters\"},{\"type\":1,\"content\":{\"json\":\"\"},\"customWidth\":\"50\",\"name\":\"text - 9\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where SourceSystem == \\\"GreyNoise\\\"\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('EmailSourceIpAddress', '') has \\\"{Indicator}\\\"\\r\\n| summarize count() by Table_Name \\r\\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\\r\\n| sort by ['Logs Count'] desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"exportFieldName\":\"Type\",\"exportParameterName\":\"Type\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"blue\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"//Add additional lines for desired data columns\\r\\nunion withsource= Table_Name *\\r\\n| where SourceSystem == \\\"GreyNoise\\\"\\r\\n| where column_ifexists('CallerIpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DestinationIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IpAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddresses', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('IPAddress', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('RemoteIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('SrcIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('DstIpAddr', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkSourceIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkIP', '') has \\\"{Indicator}\\\"\\r\\nor column_ifexists('NetworkDestinationIP', '') has \\\"{Indicator}\\\"\\r\\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\\r\\n| render areachart\",\"size\":0,\"showAnalytics\":true,\"title\":\"Indicators Observed over Time\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Data Table\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Log\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Logs Count\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}}],\"filter\":true}},\"customWidth\":\"50\",\"name\":\"query - 4 - Copy\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tiObservables = ThreatIntelligenceIndicator\\r\\n | where SourceSystem == \\\"GreyNoise\\\"\\r\\n | where TimeGenerated < now()\\r\\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\\r\\nlet alertEntity = SecurityAlert \\r\\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\\r\\n | mvexpand(Entities)\\r\\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\\r\\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \\\".\\\", Entities.DnsDomain),\\r\\n iif(isnotempty(Entities.Url), Entities.Url,\\r\\n iif(isnotempty(Entities.Value), Entities.Value,\\r\\n iif(Entities.Type == \\\"account\\\", strcat(Entities.Name,\\\"@\\\",Entities.UPNSuffix),\\\"\\\")))))\\r\\n | where isnotempty(entity) \\r\\n | project entity, SystemAlertId, AlertTime;\\r\\nlet IncidentAlerts = SecurityIncident\\r\\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\\r\\n | mv-expand AlertIds\\r\\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\\r\\nlet AlertsWithTiObservables = alertEntity\\r\\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\\r\\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\\r\\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\\r\\nIncidentsWithAlertsWithTiObservables\\r\\n| where Indicator contains '{Indicator}' or Indicator == \\\"*\\\"\\r\\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\\r\\n| sort by Incidents, Alerts desc\",\"size\":0,\"showAnalytics\":true,\"title\":\"Threat Intelligence Alerts\",\"noDataMessage\":\"No indicators observed within these thresholds\",\"timeContextFromParameter\":\"TimeRange\",\"showExportToExcel\":true,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"crossComponentResources\":[\"{Workspace}\"],\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"ThreatType\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"==\",\"thresholdValue\":\"Botnet\",\"representation\":\"Command and Control\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"MaliciousUrl\",\"representation\":\"Initial_Access\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Malware\",\"representation\":\"Execution\",\"text\":\"{0}{1}\"},{\"operator\":\"==\",\"thresholdValue\":\"Phishing\",\"representation\":\"Exfiltration\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"Pre attack\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Source\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"icons\",\"thresholdsGrid\":[{\"operator\":\"Default\",\"thresholdValue\":\"\",\"representation\":\"success\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"Incidents\",\"formatter\":4,\"formatOptions\":{\"palette\":\"redBright\"}},{\"columnMatch\":\"Alerts\",\"formatter\":4,\"formatOptions\":{\"palette\":\"orange\"}}],\"filter\":true}},\"name\":\"query - 5\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Observed\"},\"name\":\"Indicators Observed\"}],\"fromTemplateId\":\"sentinel-GreyNoiseOverview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=GreyNoiseIntellegenceOverviewWorkbook; logoFileName=greynoise_logomark_black.svg; description=This workbook provides visualization of GreyNoise Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0; title=GreyNoise Intelligence Threat Indicators; templateRelativePath=GreyNoiseOverview.json; subtitle=; provider=GreyNoise Intelligence, Inc.}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "GreyNoiseThreatIntelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "JP Bourget jp@bluecycle.net" + }, + "support": { + "name": "GreyNoise", + "email": "support@greynoise.io", + "tier": "Partner", + "link": "https://www.greynoise.io/contact/general" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + }, + { + "contentId": "GreyNoise2SentinelAPI", + "kind": "DataConnector" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "GreyNoise_IPEntity_DnsEvents_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId1')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query maps any IP indicators of compromise (IOCs) from GreyNoise Threat Intelligence (TI), by searching for matches in DnsEvents.", + "displayName": "GreyNoise TI Map IP Entity to DnsEvents", + "enabled": false, + "query": "let dt_lookBack = 1h; // Look back 1 hour for DNS events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where SourceSystem == 'GreyNoise'\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and DNS events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n DnsEvents\n | where TimeGenerated >= ago(dt_lookBack)\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\n | mv-expand SingleIP = split(IPAddresses, \", \") to typeof(string)\n | extend DNS_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.SingleIP\n // Filter out DNS events that occurred after the expiration of the corresponding indicator\n | where DNS_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and SingleIP, and keep the DNS event with the latest timestamp\n | summarize DNS_TimeGenerated = arg_max(DNS_TimeGenerated, *) by IndicatorId, SingleIP\n // Select the desired output fields\n | project DNS_TimeGenerated, Description, ActivityGroupNames, IndicatorId, ThreatType, Url, DomainName, ExpirationDateTime, ConfidenceScore,\n TI_ipEntity, Computer, EventId, SubType, ClientIP, Name, IPAddresses, NetworkIP, NetworkDestinationIP, NetworkSourceIP, EmailSourceIpAddress, Type\n | extend timestamp = DNS_TimeGenerated, HostName = tostring(split(Computer, '.', 0)[0]), DnsDomain = tostring(strcat_array(array_slice(split(Computer, '.'), 1, -1), '.'))\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligenceTaxii" + }, + { + "dataTypes": [ + "DnsEvents" + ], + "connectorId": "DNS" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "GreyNoise2SentinelAPI" + } + ], + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "Host", + "fieldMappings": [ + { + "columnName": "HostName", + "identifier": "HostName" + }, + { + "columnName": "DnsDomain", + "identifier": "DnsDomain" + } + ] + }, + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "ClientIP", + "identifier": "Address" + } + ] + }, + { + "entityType": "URL", + "fieldMappings": [ + { + "columnName": "Url", + "identifier": "Url" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId1'),'/'))))]", + "properties": { + "description": "GreyNoiseThreatIntelligence Analytics Rule 1", + "parentId": "[variables('analyticRuleId1')]", + "contentId": "[variables('_analyticRulecontentId1')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion1')]", + "source": { + "kind": "Solution", + "name": "GreyNoiseThreatIntelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "JP Bourget jp@bluecycle.net" + }, + "support": { + "name": "GreyNoise", + "email": "support@greynoise.io", + "tier": "Partner", + "link": "https://www.greynoise.io/contact/general" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId1')]", + "contentKind": "AnalyticsRule", + "displayName": "GreyNoise TI Map IP Entity to DnsEvents", + "contentProductId": "[variables('_analyticRulecontentProductId1')]", + "id": "[variables('_analyticRulecontentProductId1')]", + "version": "[variables('analyticRuleVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "GreyNoise_IPEntity_CustomSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId2')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query maps GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in CommonSecurityLog.", + "displayName": "GreyNoise TI Map IP Entity to CommonSecurityLog", + "enabled": false, + "query": "let IPRegex = '[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}\\\\.[0-9]{1,3}';\nlet dt_lookBack = 1h; // Look back 1 hour for CommonSecurityLog events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where SourceSystem == 'GreyNoise'\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and CommonSecurityLog events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n CommonSecurityLog\n | where TimeGenerated >= ago(dt_lookBack)\n | extend MessageIP = extract(IPRegex, 0, Message)\n | extend CS_ipEntity = iff(isnotempty(SourceIP), SourceIP, DestinationIP)\n | extend CS_ipEntity = iff(isempty(CS_ipEntity) and isnotempty(MessageIP), MessageIP, CS_ipEntity)\n | extend CommonSecurityLog_TimeGenerated = TimeGenerated\n )\n on $left.TI_ipEntity == $right.CS_ipEntity\n // Filter out logs that occurred after the expiration of the corresponding indicator\n | where CommonSecurityLog_TimeGenerated < ExpirationDateTime\n // Group the results by IndicatorId and CS_ipEntity, and keep the log entry with the latest timestamp\n | summarize CommonSecurityLog_TimeGenerated = arg_max(CommonSecurityLog_TimeGenerated, *) by IndicatorId, CS_ipEntity\n // Select the desired output fields\n | project timestamp = CommonSecurityLog_TimeGenerated, SourceIP, DestinationIP, MessageIP, Message, DeviceVendor, DeviceProduct, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, TI_ipEntity, CS_ipEntity, LogSeverity, DeviceAction, Type\n", + "queryFrequency": "PT4H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "ThreatIntelligence" + }, + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "CEF" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "GreyNoise2SentinelAPI" + } + ], + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "CS_ipEntity", + "identifier": "Address" + } + ] + } + ] + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId2'),'/'))))]", + "properties": { + "description": "GreyNoiseThreatIntelligence Analytics Rule 2", + "parentId": "[variables('analyticRuleId2')]", + "contentId": "[variables('_analyticRulecontentId2')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion2')]", + "source": { + "kind": "Solution", + "name": "GreyNoiseThreatIntelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "JP Bourget jp@bluecycle.net" + }, + "support": { + "name": "GreyNoise", + "email": "support@greynoise.io", + "tier": "Partner", + "link": "https://www.greynoise.io/contact/general" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId2')]", + "contentKind": "AnalyticsRule", + "displayName": "GreyNoise TI Map IP Entity to CommonSecurityLog", + "contentProductId": "[variables('_analyticRulecontentProductId2')]", + "id": "[variables('_analyticRulecontentProductId2')]", + "version": "[variables('analyticRuleVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "GreyNoise_IPEntity_imNetworkSession_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion3')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId3')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This rule identifies a match Network Sessions for which the source or destination IP address is a known GreyNoise IoC.
\nThis analytic rule uses [ASIM](https://aka.ms/AboutASIM) and supports any built-in or custom source that supports the ASIM NetworkSession schema", + "displayName": "GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema)", + "enabled": false, + "query": "let dt_lookBack = 1h;\nlet ioc_lookBack = 14d;\nlet IP_TI = materialize (\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack)\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| where Active == true and ExpirationDateTime > now()\n| where SourceSystem == 'GreyNoise'\n | extend TI_ipEntity = coalesce(NetworkIP, NetworkDestinationIP, NetworkSourceIP,EmailSourceIpAddress,\"NO_IP\")\n | where TI_ipEntity != \"NO_IP\"\n);\nIP_TI\n // using innerunique to keep perf fast and result set low, we only need one match to indicate potential malicious activity that needs to be investigated\n| join kind=innerunique \n(\n _Im_NetworkSession (starttime=ago(dt_lookBack))\n | where isnotempty(SrcIpAddr)\n | summarize imNWS_mintime=min(TimeGenerated), imNWS_maxtime=max(TimeGenerated) by SrcIpAddr, DstIpAddr, Dvc, EventProduct, EventVendor \n | lookup (IP_TI | project TI_ipEntity, Active) on $left.SrcIpAddr == $right.TI_ipEntity\n | project-rename SrcMatch = Active\n | lookup (IP_TI | project TI_ipEntity, Active) on $left.DstIpAddr == $right.TI_ipEntity\n | project-rename DstMatch = Active\n | where SrcMatch or DstMatch\n | extend \n IoCIP = iff(SrcMatch, SrcIpAddr, DstIpAddr),\n IoCDirection = iff(SrcMatch, \"Source\", \"Destination\")\n)on $left.TI_ipEntity == $right.IoCIP\n| where imNWS_mintime < ExpirationDateTime\n| project imNWS_mintime, imNWS_maxtime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, SrcIpAddr, DstIpAddr, IoCDirection, IoCIP, Dvc, EventVendor, EventProduct\n", + "queryFrequency": "PT1H", + "queryPeriod": "P14D", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "requiredDataConnectors": [ + { + "dataTypes": [ + "AWSVPCFlow" + ], + "connectorId": "AWSS3" + }, + { + "dataTypes": [ + "DeviceNetworkEvents" + ], + "connectorId": "MicrosoftThreatProtection" + }, + { + "dataTypes": [ + "SecurityEvent" + ], + "connectorId": "SecurityEvents" + }, + { + "dataTypes": [ + "WindowsEvent" + ], + "connectorId": "WindowsForwardedEvents" + }, + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "Zscaler" + }, + { + "dataTypes": [ + "Syslog" + ], + "connectorId": "MicrosoftSysmonForLinux" + }, + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "PaloAltoNetworks" + }, + { + "dataTypes": [ + "VMConnection" + ], + "connectorId": "AzureMonitor(VMInsights)" + }, + { + "dataTypes": [ + "AzureDiagnostics" + ], + "connectorId": "AzureFirewall" + }, + { + "dataTypes": [ + "AzureDiagnostics" + ], + "connectorId": "AzureNSG" + }, + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "CiscoASA" + }, + { + "dataTypes": [ + "Corelight_CL" + ], + "connectorId": "Corelight" + }, + { + "dataTypes": [ + "VectraStream" + ], + "connectorId": "AIVectraStream" + }, + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "CheckPoint" + }, + { + "dataTypes": [ + "CommonSecurityLog" + ], + "connectorId": "Fortinet" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "MicrosoftDefenderThreatIntelligence" + }, + { + "dataTypes": [ + "Syslog", + "CiscoMerakiNativePoller" + ], + "connectorId": "CiscoMeraki" + }, + { + "dataTypes": [ + "ThreatIntelligenceIndicator" + ], + "connectorId": "GreyNoise2SentinelAPI" + } + ], + "tactics": [ + "Impact" + ], + "entityMappings": [ + { + "entityType": "IP", + "fieldMappings": [ + { + "columnName": "IoCIP", + "identifier": "Address" + } + ] + } + ], + "customDetails": { + "IndicatorId": "IndicatorId", + "IoCExpirationTime": "ExpirationDateTime", + "IoCDescription": "Description", + "ThreatType": "ThreatType", + "IoCIPDirection": "IoCDirection", + "ActivityGroupNames": "ActivityGroupNames", + "IoCConfidenceScore": "ConfidenceScore", + "EventEndTime": "imNWS_maxtime", + "EventStartTime": "imNWS_mintime" + }, + "alertDetailsOverride": { + "alertDisplayNameFormat": "A network session {{IoCDirection}} address {{IoCIP}} matched an IoC.", + "alertDescriptionFormat": "The {{IoCDirection}} address {{IoCIP}} of a network session matched a known indicator of compromise of {{ThreatType}}. Consult the threat intelligence blead for more information on the indicator." + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleId3'),'/'))))]", + "properties": { + "description": "GreyNoiseThreatIntelligence Analytics Rule 3", + "parentId": "[variables('analyticRuleId3')]", + "contentId": "[variables('_analyticRulecontentId3')]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleVersion3')]", + "source": { + "kind": "Solution", + "name": "GreyNoiseThreatIntelligence", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "JP Bourget jp@bluecycle.net" + }, + "support": { + "name": "GreyNoise", + "email": "support@greynoise.io", + "tier": "Partner", + "link": "https://www.greynoise.io/contact/general" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_analyticRulecontentId3')]", + "contentKind": "AnalyticsRule", + "displayName": "GreyNoise TI map IP entity to Network Session Events (ASIM Network Session schema)", + "contentProductId": "[variables('_analyticRulecontentProductId3')]", + "id": "[variables('_analyticRulecontentProductId3')]", + "version": "[variables('analyticRuleVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "GreyNoise_IPEntity_OfficeActivity_AnalyticalRules Analytics Rule with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleVersion4')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRulecontentId4')]", + "apiVersion": "2022-04-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This query maps any GreyNoise IP indicators of compromise (IOCs) from threat intelligence (TI), by searching for matches in OfficeActivity.", + "displayName": "GreyNoise TI map IP entity to OfficeActivity", + "enabled": false, + "query": "let dt_lookBack = 1h; // Look back 1 hour for OfficeActivity events\nlet ioc_lookBack = 14d; // Look back 14 days for threat intelligence indicators\n// Fetch threat intelligence indicators related to IP addresses\nlet IP_Indicators = ThreatIntelligenceIndicator\n | where TimeGenerated >= ago(ioc_lookBack)\n | summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n | where Active == true and ExpirationDateTime > now()\n | where SourceSystem == 'GreyNoise'\n | where isnotempty(NetworkIP) or isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkSourceIP)\n | extend TI_ipEntity = iff(isnotempty(NetworkIP), NetworkIP, NetworkDestinationIP)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(NetworkSourceIP), NetworkSourceIP, TI_ipEntity)\n | extend TI_ipEntity = iff(isempty(TI_ipEntity) and isnotempty(EmailSourceIpAddress), EmailSourceIpAddress, TI_ipEntity)\n | where ipv4_is_private(TI_ipEntity) == false and TI_ipEntity !startswith \"fe80\" and TI_ipEntity !startswith \"::\" and TI_ipEntity !startswith \"127.\";\n// Perform a join between IP indicators and OfficeActivity events\nIP_Indicators\n // Use innerunique to keep performance fast and result set low, as we only need one match to indicate potential malicious activity that needs investigation\n | join kind=innerunique (\n OfficeActivity\n | where TimeGenerated >= ago(dt_lookBack)\n | where isnotempty(ClientIP)\n | extend ClientIPValues = extract_all(@'\\[?(::ffff:)?(?P
Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe GreyNoise Threat Intelligence solution for Microsoft Sentinel provides context to IP addresses seen in your environment by querying the GreyNoise API.
GreyNoise collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. We provides near real time, actionable threat intelligence from our proprietary network of over 3,100 sensors running worldwide. This unique perspective helps analysts spend less time on irrelevant or harmless activity, and more time on targeted and emerging threats.\nReview the solution Release Notes
Learn More about GreyNoise Threat Intelligence | GreyNoise Docs
\nData Connectors: 1, Workbooks: 1, Analytic Rules: 5
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
+ "contentId": "[variables('_solutionId')]",
+ "parentId": "[variables('_solutionId')]",
+ "source": {
+ "kind": "Solution",
+ "name": "GreyNoiseThreatIntelligence",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "JP Bourget jp@bluecycle.net"
+ },
+ "support": {
+ "name": "GreyNoise",
+ "email": "support@greynoise.io",
+ "tier": "Partner",
+ "link": "https://www.greynoise.io/contact/general"
+ },
+ "dependencies": {
+ "operator": "AND",
+ "criteria": [
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId2')]",
+ "version": "[variables('analyticRuleVersion2')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId3')]",
+ "version": "[variables('analyticRuleVersion3')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId4')]",
+ "version": "[variables('analyticRuleVersion4')]"
+ },
+ {
+ "kind": "AnalyticsRule",
+ "contentId": "[variables('analyticRulecontentId5')]",
+ "version": "[variables('analyticRuleVersion5')]"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ }
+ ]
+ },
+ "firstPublishDate": "2023-09-05",
+ "lastPublishDate": "2023-09-05",
+ "providers": [
+ "GreyNoise Intelligence, Inc."
+ ],
+ "categories": {
+ "domains": [
+ "Security - Threat Intelligence"
+ ]
+ }
+ },
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/', variables('_solutionId'))]"
+ }
+ ],
+ "outputs": {}
+}
diff --git a/Solutions/GreyNoiseThreatIntelligence/ReleaseNotes.md b/Solutions/GreyNoiseThreatIntelligence/ReleaseNotes.md
new file mode 100644
index 00000000000..0b28f03a717
--- /dev/null
+++ b/Solutions/GreyNoiseThreatIntelligence/ReleaseNotes.md
@@ -0,0 +1,3 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|---------------------------------------------|
+| 3.0.0 | 09-21-2023 | Initial Version Release |
diff --git a/Solutions/GreyNoiseThreatIntelligence/SolutionMetadata.json b/Solutions/GreyNoiseThreatIntelligence/SolutionMetadata.json
new file mode 100644
index 00000000000..20aac90575a
--- /dev/null
+++ b/Solutions/GreyNoiseThreatIntelligence/SolutionMetadata.json
@@ -0,0 +1,17 @@
+ {
+ "publisherId": "greynoiseintelligenceinc1681236078693",
+ "offerId": "microsoft-sentinel-byol-greynoise",
+ "firstPublishDate": "2023-09-05",
+ "lastPublishDate": "2023-09-05",
+ "providers": ["GreyNoise Intelligence, Inc."],
+ "categories": {
+ "domains" : ["Security - Threat Intelligence"],
+ "verticals": []
+ },
+ "support": {
+ "name": "GreyNoise",
+ "email": "support@greynoise.io",
+ "tier": "Partner",
+ "link": "https://www.greynoise.io/contact/general"
+ }
+}
diff --git a/Solutions/GreyNoiseThreatIntelligence/Workbooks/GreyNoiseOverview.json b/Solutions/GreyNoiseThreatIntelligence/Workbooks/GreyNoiseOverview.json
new file mode 100644
index 00000000000..ae04cee6b98
--- /dev/null
+++ b/Solutions/GreyNoiseThreatIntelligence/Workbooks/GreyNoiseOverview.json
@@ -0,0 +1,566 @@
+{
+ "version": "Notebook/1.0",
+ "items": [
+ {
+ "type": 9,
+ "content": {
+ "version": "KqlParameterItem/1.0",
+ "parameters": [
+ {
+ "id": "a4b4e975-fa7c-46a3-b669-850aacc88134",
+ "version": "KqlParameterItem/1.0",
+ "name": "Help",
+ "label": "Guide",
+ "type": 10,
+ "isRequired": true,
+ "typeSettings": {
+ "showDefault": false
+ },
+ "jsonData": "[\r\n {\"value\": \"Yes\", \"label\": \"Yes\", \"selected\":true},\r\n {\"value\": \"No\", \"label\": \"No\"}\r\n]"
+ },
+ {
+ "version": "KqlParameterItem/1.0",
+ "name": "DefaultSubscription_Internal",
+ "type": 1,
+ "isRequired": true,
+ "query": "where type =~ 'microsoft.operationalinsights/workspaces'\r\n| take 1\r\n| project subscriptionId",
+ "crossComponentResources": [
+ "value::selected"
+ ],
+ "isHiddenWhenLocked": true,
+ "queryType": 1,
+ "resourceType": "microsoft.resourcegraph/resources",
+ "id": "314d02bf-4691-43fa-af59-d67073c8b8fa"
+ },
+ {
+ "id": "e6ded9a1-a83c-4762-938d-5bf8ff3d3d38",
+ "version": "KqlParameterItem/1.0",
+ "name": "Subscription",
+ "type": 6,
+ "isRequired": true,
+ "multiSelect": true,
+ "quote": "'",
+ "delimiter": ",",
+ "query": "summarize by subscriptionId\r\n| project value = strcat(\"/subscriptions/\", subscriptionId), label = subscriptionId, selected = iff(subscriptionId =~ '{DefaultSubscription_Internal}', true, false)",
+ "crossComponentResources": [
+ "value::all"
+ ],
+ "typeSettings": {
+ "additionalResourceOptions": [
+ "value::all"
+ ],
+ "showDefault": false
+ },
+ "queryType": 1,
+ "resourceType": "microsoft.resourcegraph/resources",
+ "value": [
+ "value::all"
+ ]
+ },
+ {
+ "id": "e3225ed0-6210-40a1-b2d0-66e42ffa71d6",
+ "version": "KqlParameterItem/1.0",
+ "name": "Workspace",
+ "type": 5,
+ "isRequired": true,
+ "multiSelect": true,
+ "quote": "'",
+ "delimiter": ",",
+ "query": "resources\r\n| where type =~ 'microsoft.operationalinsights/workspaces'\r\n| order by name asc\r\n| summarize Selected = makelist(id, 10), All = makelist(id, 1000)\r\n| mvexpand All limit 100\r\n| project value = tostring(All), label = tostring(All), selected = iff(Selected contains All, true, false)",
+ "crossComponentResources": [
+ "{Subscription}"
+ ],
+ "typeSettings": {
+ "additionalResourceOptions": [
+ "value::all"
+ ],
+ "showDefault": false
+ },
+ "queryType": 1,
+ "resourceType": "microsoft.resourcegraph/resources",
+ "value": [
+ "value::all"
+ ]
+ },
+ {
+ "id": "15b2c181-7397-43c1-900a-28e175ae8a6f",
+ "version": "KqlParameterItem/1.0",
+ "name": "TimeRange",
+ "type": 4,
+ "isRequired": true,
+ "value": {
+ "durationMs": 604800000
+ },
+ "typeSettings": {
+ "selectableValues": [
+ {
+ "durationMs": 86400000
+ },
+ {
+ "durationMs": 172800000
+ },
+ {
+ "durationMs": 604800000
+ }
+ ],
+ "allowCustom": true
+ },
+ "timeContextFromParameter": "TimeRange"
+ }
+ ],
+ "style": "pills",
+ "queryType": 0,
+ "resourceType": "microsoft.operationalinsights/workspaces"
+ },
+ "name": "Parameter Selectors"
+ },
+ {
+ "type": 1,
+ "content": {
+ "json": "# [GreyNoise Threat Intelligence](https://www.greynoise.io/)\n---\nGreyNoise collects, analyzes, and labels data on IPs that scan the internet and saturate security tools with noise. We provides near real time, actionable threat intelligence from our proprietary network of over 3,100 sensors running worldwide. This unique perspective helps analysts spend less time on irrelevant or harmless activity, and more time on targeted and emerging threats.\n\nTired of dealing with brute force attempts, web crawlers, and other scanners filling up your logs and trying to break into your infrastructure? With GreyNoise’s Malicious, Benign and Unknown Indicators, you can prevent noisy scanners from hitting your perimeter, effectively shutting them out, and giving yourself time to patch when there is an emerging exploit. Find out more at https://www.greynoise.io/solutions/maximize-soc-efficiency\n" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "customWidth": "79", + "name": "Workbook Overview" + }, + { + "type": 1, + "content": { + "json": " " + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "customWidth": "20", + "name": "GreyNoise Logo" + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "18c690d7-7cbd-46c1-b677-1f72692d40cd", + "cellValue": "TAB", + "linkTarget": "parameter", + "linkLabel": "Indicators Ingestion", + "subTarget": "Indicators", + "preText": "Alert rules", + "style": "link" + }, + { + "id": "f88dcf47-af98-4684-9de3-1ee5f48f68fc", + "cellValue": "TAB", + "linkTarget": "parameter", + "linkLabel": "Indicators Search", + "subTarget": "Observed", + "style": "link" + } + ] + }, + "name": "Tabs link" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n| where SourceSystem == 'GreyNoise'\r\n// Select all indicators from the table\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType, bin(TimeGenerated, 24h)\r\n| order by CountOfIndicators desc \r\n| render barchart kind=stacked ", + "size": 0, + "showAnalytics": true, + "title": "Total GreyNoise Indicators Imported into Sentinel by Date", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n| where SourceSystem == 'GreyNoise'\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select all indicators from the table\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by translate(\"[]\\\"\", \"\", Tags) \r\n| render barchart kind=stacked", + "size": 0, + "showAnalytics": true, + "title": "Active GreyNoise Indicators Imported into Sentinel by Tag", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Create a new column to identify the type of indicator, IP, Domain, URL, File, or Other\r\n| extend IndicatorType = iif(isnotempty(EmailSourceIpAddress) or isnotempty(NetworkDestinationIP) or isnotempty(NetworkIP) or isnotempty(NetworkSourceIP) or isnotempty(NetworkCidrBlock), \"IP\",\r\n iff(isnotempty(Url), \"URL\",\r\n iff(isnotempty(EmailRecipient) or isnotempty(EmailSenderAddress), \"Email\",\r\n iff(isnotempty(FileHashValue), \"File\",\r\n iff(isnotempty(DomainName) or isnotempty(EmailSourceDomain), \"Domain\",\r\n \"Other\")))))\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by IndicatorType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", + "size": 0, + "showAnalytics": true, + "title": "Active Indicators by Indicator Type", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "name": "query - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n| where SourceSystem == 'GreyNoise'\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by ThreatType\r\n| order by CountOfIndicators desc \r\n| render barchart kind=unstacked", + "size": 0, + "showAnalytics": true, + "title": "Active GreyNoise Indicators by Classification", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "name": "query - 7" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n// Select all indicators from the table\r\n| where TimeGenerated < now()\r\n// Select only indicators that have not expired\r\n and ExpirationDateTime > now()\r\n// Select only indicators that are marked active\r\n and Active == true\r\n// Select only the most recently ingested copy of an indicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n// Summarize and order the data, then render the chart\r\n| summarize CountOfIndicators = count() by tostring(ConfidenceScore)\r\n| order by CountOfIndicators desc \r\n| render piechart", + "size": 0, + "showAnalytics": true, + "title": "Active Indicators by Confidence Score", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ] + }, + "customWidth": "50", + "name": "query - 10" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let DomainQuery=view() { \r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(DomainName)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by DomainName\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"DomainEntry\"\r\n};\r\nlet UrlQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(Url)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by Url\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"UrlEntry\"\r\n};\r\nlet FileHashQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(FileHashValue)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by FileHashValue\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"FileHashEntry\"\r\n};\r\nlet IPQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(NetworkIP) or isnotempty(NetworkSourceIP)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by NetworkIP, NetworkSourceIP\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"IPEntry\"\r\n};\r\nlet EmailAddressQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSenderAddress)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSenderAddress\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailAddressEntry\"\r\n};\r\nlet EmailMessageQuery=view(){\r\nThreatIntelligenceIndicator\r\n| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n| where isnotempty(EmailSubject)\r\n| summarize SourceSystemArray=make_set(SourceSystem) by EmailSubject\r\n| summarize count() by tostring(SourceSystemArray)\r\n| project SourceSystemArray, count_, EntryType=\"EmailMessageEntry\"\r\n};\r\nlet SingleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))==1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1 \r\n};\r\nlet MultipleSourceIndicators=view(){\r\n DomainQuery\r\n | union UrlQuery\r\n | union FileHashQuery\r\n | union IPQuery\r\n | union EmailAddressQuery\r\n | union EmailMessageQuery\r\n | where array_length(todynamic(SourceSystemArray))!=1\r\n | summarize sum(count_) by SourceSystemArray\r\n | extend counter=1\r\n};\r\nlet CountOfActiveIndicatorsBySource=view(){\r\n ThreatIntelligenceIndicator\r\n\t| summarize arg_max(TimeGenerated, *) by IndicatorId\r\n | where ExpirationDateTime > now() and Active == true\r\n | summarize count() by SourceSystem\r\n | project SourceSystem, count_\r\n};\r\nSingleSourceIndicators\r\n| join kind=fullouter MultipleSourceIndicators on counter \r\n| where SourceSystemArray contains todynamic(SourceSystemArray)[0] \r\n| order by SourceSystemArray\r\n| extend solitary_count=sum_count_\r\n| summarize shared_count = sum(sum_count_1) by SourceSystemArray, solitary_count\r\n| extend total_count = shared_count + solitary_count\r\n| extend unique_percentage = round(toreal(solitary_count)/toreal(total_count)*100, 1)\r\n| extend IndicatorSource = tostring(todynamic(SourceSystemArray)[0])\r\n| join kind=inner CountOfActiveIndicatorsBySource on $left.IndicatorSource == $right.SourceSystem\r\n| order by unique_percentage desc\r\n| project Source=IndicatorSource, UniquenessPercentage=unique_percentage, ActiveIndicators = count_\r\n\r\n", + "size": 0, + "showAnalytics": true, + "title": "Uniqueness of Threat Intelligence Sources", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Source", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": "", + "representation": "View", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "ActiveIndicators", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 12" + } + ] + }, + "conditionalVisibility": { + "parameterName": "TAB", + "comparison": "isEqualTo", + "value": "Indicators" + }, + "name": "Indicators Ingestion" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "9aec751b-07bd-43ba-80b9-f711887dce45", + "version": "KqlParameterItem/1.0", + "name": "Indicator", + "label": "Search Indicator in Events", + "type": 1, + "value": "", + "timeContext": { + "durationMs": 7776000000 + }, + "timeContextFromParameter": "TimeRange" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "Threat Research Parameters" + }, + { + "type": 1, + "content": { + "json": "" + }, + "customWidth": "50", + "name": "text - 9" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Add additional lines for desired data columns\r\nunion withsource= Table_Name *\r\n| where SourceSystem == \"GreyNoise\"\r\n| where column_ifexists('CallerIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('IpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddresses', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddress', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteIP', '') has \"{Indicator}\"\r\nor column_ifexists('SourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('SrcIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('DstIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkSourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkIP', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkDestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('EmailSourceIpAddress', '') has \"{Indicator}\"\r\n| summarize count() by Table_Name \r\n| project-rename ['Data Table']=Table_Name, ['Logs Count']=count_\r\n| sort by ['Logs Count'] desc", + "size": 0, + "showAnalytics": true, + "title": "Indicators Observed", + "noDataMessage": "No indicators observed within these thresholds", + "timeContextFromParameter": "TimeRange", + "exportFieldName": "Type", + "exportParameterName": "Type", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Data Table", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": "", + "representation": "Log", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Logs Count", + "formatter": 4, + "formatOptions": { + "palette": "blue" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "//Add additional lines for desired data columns\r\nunion withsource= Table_Name *\r\n| where SourceSystem == \"GreyNoise\"\r\n| where column_ifexists('CallerIpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('DestinationIP', '') has \"{Indicator}\"\r\nor column_ifexists('IpAddress', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddresses', '') has \"{Indicator}\"\r\nor column_ifexists('IPAddress', '') has \"{Indicator}\"\r\nor column_ifexists('RemoteIP', '') has \"{Indicator}\"\r\nor column_ifexists('SourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('SrcIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('DstIpAddr', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkSourceIP', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkIP', '') has \"{Indicator}\"\r\nor column_ifexists('NetworkDestinationIP', '') has \"{Indicator}\"\r\n| make-series count() default=0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step 1d by Type\r\n| render areachart", + "size": 0, + "showAnalytics": true, + "title": "Indicators Observed over Time", + "noDataMessage": "No indicators observed within these thresholds", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "Data Table", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": "", + "representation": "Log", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Logs Count", + "formatter": 4, + "formatOptions": { + "palette": "redBright" + } + } + ], + "filter": true + } + }, + "customWidth": "50", + "name": "query - 4 - Copy" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let tiObservables = ThreatIntelligenceIndicator\r\n | where SourceSystem == \"GreyNoise\"\r\n | where TimeGenerated < now()\r\n | project IndicatorId, ThreatType, Description, Active, IndicatorTime = TimeGenerated, Indicator = strcat(NetworkSourceIP, NetworkIP, NetworkDestinationIP, Url, FileHashValue, EmailSourceIpAddress, EmailSenderAddress, DomainName), SourceSystem;\r\nlet alertEntity = SecurityAlert \r\n | project parse_json(Entities), SystemAlertId , AlertTime = TimeGenerated\r\n | mvexpand(Entities)\r\n | extend entity = iif(isnotempty(Entities.Address), Entities.Address,\r\n iif(isnotempty(Entities.HostName),strcat(Entities.HostName, \".\", Entities.DnsDomain),\r\n iif(isnotempty(Entities.Url), Entities.Url,\r\n iif(isnotempty(Entities.Value), Entities.Value,\r\n iif(Entities.Type == \"account\", strcat(Entities.Name,\"@\",Entities.UPNSuffix),\"\")))))\r\n | where isnotempty(entity) \r\n | project entity, SystemAlertId, AlertTime;\r\nlet IncidentAlerts = SecurityIncident\r\n | project IncidentTime = TimeGenerated, IncidentNumber, Title, parse_json(AlertIds)\r\n | mv-expand AlertIds\r\n | project IncidentTime, IncidentNumber, Title, tostring(AlertIds);\r\nlet AlertsWithTiObservables = alertEntity\r\n | join kind=inner tiObservables on $left.entity == $right.Indicator;\r\nlet IncidentsWithAlertsWithTiObservables = AlertsWithTiObservables\r\n | join kind=inner IncidentAlerts on $left.SystemAlertId == $right.AlertIds;\r\nIncidentsWithAlertsWithTiObservables\r\n| where Indicator contains '{Indicator}' or Indicator == \"*\"\r\n| summarize Incidents=dcount(IncidentNumber), Alerts=dcount(SystemAlertId) by Indicator, ThreatType, Source = SourceSystem, Description\r\n| sort by Incidents, Alerts desc", + "size": 0, + "showAnalytics": true, + "title": "Threat Intelligence Alerts", + "noDataMessage": "No indicators observed within these thresholds", + "timeContextFromParameter": "TimeRange", + "showExportToExcel": true, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "crossComponentResources": [ + "{Workspace}" + ], + "gridSettings": { + "formatters": [ + { + "columnMatch": "ThreatType", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "==", + "thresholdValue": "Botnet", + "representation": "Command and Control", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "MaliciousUrl", + "representation": "Initial_Access", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Malware", + "representation": "Execution", + "text": "{0}{1}" + }, + { + "operator": "==", + "thresholdValue": "Phishing", + "representation": "Exfiltration", + "text": "{0}{1}" + }, + { + "operator": "Default", + "thresholdValue": "", + "representation": "Pre attack", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Source", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "icons", + "thresholdsGrid": [ + { + "operator": "Default", + "thresholdValue": "", + "representation": "success", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "Incidents", + "formatter": 4, + "formatOptions": { + "palette": "redBright" + } + }, + { + "columnMatch": "Alerts", + "formatter": 4, + "formatOptions": { + "palette": "orange" + } + } + ], + "filter": true + } + }, + "name": "query - 5" + } + ] + }, + "conditionalVisibility": { + "parameterName": "TAB", + "comparison": "isEqualTo", + "value": "Observed" + }, + "name": "Indicators Observed" + } + ], + "styleSettings": {}, + "fromTemplateId": "sentinel-GreyNoiseOverview", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} diff --git a/Solutions/GreyNoiseThreatIntelligence/Workbooks/Images/Logo/greynoise_logomark_black.svg b/Solutions/GreyNoiseThreatIntelligence/Workbooks/Images/Logo/greynoise_logomark_black.svg new file mode 100644 index 00000000000..12c2e131372 --- /dev/null +++ b/Solutions/GreyNoiseThreatIntelligence/Workbooks/Images/Logo/greynoise_logomark_black.svg @@ -0,0 +1,42 @@ + + + diff --git a/Solutions/GreyNoiseThreatIntelligence/Workbooks/Images/Preview/GreyNoiseOverviewBlack.png b/Solutions/GreyNoiseThreatIntelligence/Workbooks/Images/Preview/GreyNoiseOverviewBlack.png new file mode 100644 index 00000000000..79d9cb60c45 Binary files /dev/null and b/Solutions/GreyNoiseThreatIntelligence/Workbooks/Images/Preview/GreyNoiseOverviewBlack.png differ diff --git a/Solutions/GreyNoiseThreatIntelligence/Workbooks/Images/Preview/GreyNoiseOverviewWhite.png b/Solutions/GreyNoiseThreatIntelligence/Workbooks/Images/Preview/GreyNoiseOverviewWhite.png new file mode 100644 index 00000000000..14c534e9a70 Binary files /dev/null and b/Solutions/GreyNoiseThreatIntelligence/Workbooks/Images/Preview/GreyNoiseOverviewWhite.png differ diff --git a/Solutions/ISC Bind/Data Connectors/Connector_Syslog_ISCBind.json b/Solutions/ISC Bind/Data Connectors/Connector_Syslog_ISCBind.json index d7e6f99813d..5ff9587054c 100644 --- a/Solutions/ISC Bind/Data Connectors/Connector_Syslog_ISCBind.json +++ b/Solutions/ISC Bind/Data Connectors/Connector_Syslog_ISCBind.json @@ -62,7 +62,7 @@ "instructionSteps": [ { "title": "", - "description":"**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ISC%20Bind/Parsers/ISCBind.txt).The function usually takes 10-15 minutes to activate after solution installation/update." , + "description":"**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://aka.ms/sentinel-iscbind-parser).The function usually takes 10-15 minutes to activate after solution installation/update." , "instructions": [ ] }, diff --git a/Solutions/ISC Bind/Data/Solution_ISC Bind.json b/Solutions/ISC Bind/Data/Solution_ISC Bind.json index 17c3788d095..c324e724db2 100644 --- a/Solutions/ISC Bind/Data/Solution_ISC Bind.json +++ b/Solutions/ISC Bind/Data/Solution_ISC Bind.json @@ -2,12 +2,12 @@ "Name": "ISC Bind", "Author": "Microsoft - support@microsoft.com", "Logo": "
![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\")
",
- "Description": "The [ISC Bind](https://www.isc.org/bind/) solution for Microsoft sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)",
+ "Description": "The [ISC Bind](https://www.isc.org/bind/) solution for Microsoft Sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)",
"Data Connectors": [
"Solutions/ISC Bind/Data Connectors/Connector_Syslog_ISCBind.json"
],
"Parsers": [
- "Solutions/ISC Bind/Parsers/ISCBind.txt"
+ "Solutions/ISC Bind/Parsers/ISCBind.yaml"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel",
"Version": "2.0.1",
diff --git a/Solutions/ISC Bind/Data/system_generated_metadata.json b/Solutions/ISC Bind/Data/system_generated_metadata.json
new file mode 100644
index 00000000000..9418200408f
--- /dev/null
+++ b/Solutions/ISC Bind/Data/system_generated_metadata.json
@@ -0,0 +1,31 @@
+{
+ "Name": "ISC Bind",
+ "Author": "Microsoft - support@microsoft.com",
+ "Logo": "",
+ "Description": "The [ISC Bind](https://www.isc.org/bind/) solution for Microsoft Sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)",
+ "BasePath": "C:\\GitHub\\Azure-Sentinel",
+ "Metadata": "SolutionMetadata.json",
+ "TemplateSpec": true,
+ "Is1PConnector": false,
+ "Version": "3.0.0",
+ "publisherId": "azuresentinel",
+ "offerId": "azure-sentinel-solution-iscbind",
+ "providers": [
+ "ISC"
+ ],
+ "categories": {
+ "domains": [
+ "Networking"
+ ],
+ "verticals": []
+ },
+ "firstPublishDate": "2022-09-20",
+ "support": {
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "link": "https://support.microsoft.com/"
+ },
+ "Data Connectors": "[\n \"Connector_Syslog_ISCBind.json\"\n]",
+ "Parsers": "[\n \"ISCBind.yaml\"\n]"
+}
diff --git a/Solutions/ISC Bind/Package/3.0.0.zip b/Solutions/ISC Bind/Package/3.0.0.zip
new file mode 100644
index 00000000000..0f167715fa2
Binary files /dev/null and b/Solutions/ISC Bind/Package/3.0.0.zip differ
diff --git a/Solutions/ISC Bind/Package/createUiDefinition.json b/Solutions/ISC Bind/Package/createUiDefinition.json
index a0c9b07ee85..5f5020aa23f 100644
--- a/Solutions/ISC Bind/Package/createUiDefinition.json
+++ b/Solutions/ISC Bind/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ISC Bind](https://www.isc.org/bind/) solution for Microsoft sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/ISCBind/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe [ISC Bind](https://www.isc.org/bind/) solution for Microsoft Sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\n a. [Agent-based log collection (Syslog)](https://learn.microsoft.com/azure/sentinel/connect-syslog)\n\n**Data Connectors:** 1, **Parsers:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
diff --git a/Solutions/ISC Bind/Package/mainTemplate.json b/Solutions/ISC Bind/Package/mainTemplate.json
index a756498cee4..a2deb61d28c 100644
--- a/Solutions/ISC Bind/Package/mainTemplate.json
+++ b/Solutions/ISC Bind/Package/mainTemplate.json
@@ -34,53 +34,39 @@
"_solutionId": "[variables('solutionId')]",
"email": "support@microsoft.com",
"_email": "[variables('email')]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_solutionName": "ISC Bind",
+ "_solutionVersion": "3.0.0",
"uiConfigId1": "ISCBind",
"_uiConfigId1": "[variables('uiConfigId1')]",
"dataConnectorContentId1": "ISCBind",
"_dataConnectorContentId1": "[variables('dataConnectorContentId1')]",
"dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
"_dataConnectorId1": "[variables('dataConnectorId1')]",
- "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]",
+ "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]",
"dataConnectorVersion1": "1.0",
- "parserVersion1": "1.0.0",
- "parserContentId1": "ISCBind-Parser",
- "_parserContentId1": "[variables('parserContentId1')]",
+ "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]",
"parserName1": "ISCBind",
"_parserName1": "[concat(parameters('workspace'),'/',variables('parserName1'))]",
"parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
"_parserId1": "[variables('parserId1')]",
- "parserTemplateSpecName1": "[concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1')))]"
+ "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]",
+ "parserVersion1": "1.0.0",
+ "parserContentId1": "ISCBind-Parser",
+ "_parserContentId1": "[variables('parserContentId1')]",
+ "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('dataConnectorTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "ISC Bind data connector with template",
- "displayName": "ISC Bind template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ISC Bind data connector with template version 2.0.1",
+ "description": "ISC Bind data connector with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('dataConnectorVersion1')]",
@@ -157,7 +143,7 @@
},
"instructionSteps": [
{
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ISC%20Bind/Parsers/ISCBind.txt).The function usually takes 10-15 minutes to activate after solution installation/update."
+ "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://aka.ms/sentinel-iscbind-parser).The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
@@ -226,8 +212,8 @@
"name": "Microsoft"
},
"support": {
- "tier": "microsoft",
- "name": "Microsoft",
+ "tier": "Microsoft",
+ "name": "Microsoft Corporation",
"email": "support@microsoft.com"
}
}
@@ -236,7 +222,7 @@
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"properties": {
"parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
@@ -261,12 +247,23 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "contentKind": "DataConnector",
+ "displayName": "ISC Bind",
+ "contentProductId": "[variables('_dataConnectorcontentProductId1')]",
+ "id": "[variables('_dataConnectorcontentProductId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "apiVersion": "2023-04-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
"dependsOn": [
"[variables('_dataConnectorId1')]"
@@ -362,7 +359,7 @@
},
"instructionSteps": [
{
- "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/ISC%20Bind/Parsers/ISCBind.txt).The function usually takes 10-15 minutes to activate after solution installation/update."
+ "description": "**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected which is deployed as part of the solution. To view the function code in Log Analytics, open Log Analytics/Microsoft Sentinel Logs blade, click Functions and search for the alias ISCBind and load the function code or click [here](https://aka.ms/sentinel-iscbind-parser).The function usually takes 10-15 minutes to activate after solution installation/update."
},
{
"description": "Typically, you should install the agent on a different computer from the one on which the logs are generated.\n\n> Syslog logs are collected only from **Linux** agents.",
@@ -425,33 +422,15 @@
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('parserTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
- "properties": {
- "description": "ISCBind Data Parser with template",
- "displayName": "ISCBind Data Parser template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('parserTemplateSpecName1'),'/',variables('parserVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Parser"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('parserTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "ISCBind Data Parser with template version 2.0.1",
+ "description": "ISCBind Data Parser with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('parserVersion1')]",
@@ -460,20 +439,21 @@
"resources": [
{
"name": "[variables('_parserName1')]",
- "apiVersion": "2020-08-01",
+ "apiVersion": "2022-10-01",
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "ISCBind",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "ISCBind",
- "query": "\n\r\nlet request = Syslog \r\n| where SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" *\r\n \"query: \"\r\n DnsQuery:string \" \"\r\n DnsQueryClassName:string \" \"\r\n DnsQueryTypeName:string \" \"\r\n DnsFlags:string\r\n| extend ServerIPAddressIndex= indexof(DnsFlags, \" \")\r\n| extend ServerIPAddress = iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, ServerIPAddressIndex),\"\")\r\n| extend ServerIPAddress = replace_regex(ServerIPAddress,@\"[()]\",\"\")\r\n| extend DnsFlags =iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)\r\n| extend SrcPortNumber = replace_regex(SrcPortNumber,@\"[^\\d]\",\"\")\r\n| extend EventSubType = \"request\",DnsResponseCodeName = \"NA\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;\r\nlet requestcache = Syslog \r\n| where SyslogMessage has_all (\"client\", \"query (cache)\") and SyslogMessage !has \"response:\"\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" *\r\n \"query (cache) '\"\r\n DnsQuery:string \"/\"\r\n DnsQueryTypeName:string \"/\"\r\n DnsQueryClassName:string \"' \"\r\n Action\r\n| extend EventSubType = \"requestcache\",DnsResponseCodeName = \"NA\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;\r\nlet response =Syslog \r\n| where SyslogMessage has_all (\"client\", \"query:\", \"response:\")\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" * \"view \" * \": \"\r\n NetworkProtocol:string \": query: \"\r\n DnsQuery:string \" \"\r\n DnsQueryClassName:string \" \"\r\n DnsQueryTypeName:string \" \"\r\n \"response: \" DnsResponseCodeName: string\r\n \" \" DnsFlags: string\r\n| extend DNSResourceRecordIndex= indexof(DnsFlags, \" \")\r\n| extend DnsResponseName =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, DNSResourceRecordIndex), \"\")\r\n| extend DnsFlags =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)\r\n| extend EventSubType = \"response\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;\r\nunion request,requestcache,response",
- "version": 1,
+ "query": "//request events\nlet request = Syslog \n| where SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" *\n \"query: \"\n DnsQuery:string \" \"\n DnsQueryClassName:string \" \"\n DnsQueryTypeName:string \" \"\n DnsFlags:string\n| extend ServerIPAddressIndex= indexof(DnsFlags, \" \")\n| extend ServerIPAddress = iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, ServerIPAddressIndex),\"\")\n| extend ServerIPAddress = replace_regex(ServerIPAddress,@\"[()]\",\"\")\n| extend DnsFlags =iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)\n| extend SrcPortNumber = replace_regex(SrcPortNumber,@\"[^\\d]\",\"\")\n| extend EventSubType = \"request\",DnsResponseCodeName = \"NA\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;\n//request (cache) events\nlet requestcache = Syslog \n| where SyslogMessage has_all (\"client\", \"query (cache)\") and SyslogMessage !has \"response:\"\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" *\n \"query (cache) '\"\n DnsQuery:string \"/\"\n DnsQueryTypeName:string \"/\"\n DnsQueryClassName:string \"' \"\n Action\n| extend EventSubType = \"requestcache\",DnsResponseCodeName = \"NA\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;\n// response events\nlet response =Syslog \n| where SyslogMessage has_all (\"client\", \"query:\", \"response:\")\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" * \"view \" * \": \"\n NetworkProtocol:string \": query: \"\n DnsQuery:string \" \"\n DnsQueryClassName:string \" \"\n DnsQueryTypeName:string \" \"\n \"response: \" DnsResponseCodeName: string\n \" \" DnsFlags: string\n| extend DNSResourceRecordIndex= indexof(DnsFlags, \" \")\n| extend DnsResponseName =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, DNSResourceRecordIndex), \"\")\n| extend DnsFlags =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)\n| extend EventSubType = \"response\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;\nunion request,requestcache,response\n",
+ "functionParameters": "",
+ "version": 2,
"tags": [
{
"name": "description",
- "value": "ISCBind"
+ "value": ""
}
]
}
@@ -483,7 +463,7 @@
"apiVersion": "2022-01-01-preview",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
"dependsOn": [
- "[variables('_parserName1')]"
+ "[variables('_parserId1')]"
],
"properties": {
"parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
@@ -508,21 +488,39 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_parserContentId1')]",
+ "contentKind": "Parser",
+ "displayName": "ISCBind",
+ "contentProductId": "[variables('_parsercontentProductId1')]",
+ "id": "[variables('_parsercontentProductId1')]",
+ "version": "[variables('parserVersion1')]"
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/savedSearches",
- "apiVersion": "2021-06-01",
+ "apiVersion": "2022-10-01",
"name": "[variables('_parserName1')]",
"location": "[parameters('workspace-location')]",
"properties": {
"eTag": "*",
"displayName": "ISCBind",
- "category": "Samples",
+ "category": "Microsoft Sentinel Parser",
"functionAlias": "ISCBind",
- "query": "\n\r\nlet request = Syslog \r\n| where SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" *\r\n \"query: \"\r\n DnsQuery:string \" \"\r\n DnsQueryClassName:string \" \"\r\n DnsQueryTypeName:string \" \"\r\n DnsFlags:string\r\n| extend ServerIPAddressIndex= indexof(DnsFlags, \" \")\r\n| extend ServerIPAddress = iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, ServerIPAddressIndex),\"\")\r\n| extend ServerIPAddress = replace_regex(ServerIPAddress,@\"[()]\",\"\")\r\n| extend DnsFlags =iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)\r\n| extend SrcPortNumber = replace_regex(SrcPortNumber,@\"[^\\d]\",\"\")\r\n| extend EventSubType = \"request\",DnsResponseCodeName = \"NA\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;\r\nlet requestcache = Syslog \r\n| where SyslogMessage has_all (\"client\", \"query (cache)\") and SyslogMessage !has \"response:\"\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" *\r\n \"query (cache) '\"\r\n DnsQuery:string \"/\"\r\n DnsQueryTypeName:string \"/\"\r\n DnsQueryClassName:string \"' \"\r\n Action\r\n| extend EventSubType = \"requestcache\",DnsResponseCodeName = \"NA\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;\r\nlet response =Syslog \r\n| where SyslogMessage has_all (\"client\", \"query:\", \"response:\")\r\n| parse SyslogMessage with\r\n * \"client \" * \" \"\r\n SrcIpAddr:string \"#\" \r\n SrcPortNumber:string \" \" * \"view \" * \": \"\r\n NetworkProtocol:string \": query: \"\r\n DnsQuery:string \" \"\r\n DnsQueryClassName:string \" \"\r\n DnsQueryTypeName:string \" \"\r\n \"response: \" DnsResponseCodeName: string\r\n \" \" DnsFlags: string\r\n| extend DNSResourceRecordIndex= indexof(DnsFlags, \" \")\r\n| extend DnsResponseName =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, DNSResourceRecordIndex), \"\")\r\n| extend DnsFlags =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)\r\n| extend EventSubType = \"response\"\r\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;\r\nunion request,requestcache,response",
- "version": 1
+ "query": "//request events\nlet request = Syslog \n| where SyslogMessage has_all (\"client\", \"query:\") and SyslogMessage !has \"response:\"\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" *\n \"query: \"\n DnsQuery:string \" \"\n DnsQueryClassName:string \" \"\n DnsQueryTypeName:string \" \"\n DnsFlags:string\n| extend ServerIPAddressIndex= indexof(DnsFlags, \" \")\n| extend ServerIPAddress = iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, ServerIPAddressIndex),\"\")\n| extend ServerIPAddress = replace_regex(ServerIPAddress,@\"[()]\",\"\")\n| extend DnsFlags =iif(ServerIPAddressIndex != \"-1\", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)\n| extend SrcPortNumber = replace_regex(SrcPortNumber,@\"[^\\d]\",\"\")\n| extend EventSubType = \"request\",DnsResponseCodeName = \"NA\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;\n//request (cache) events\nlet requestcache = Syslog \n| where SyslogMessage has_all (\"client\", \"query (cache)\") and SyslogMessage !has \"response:\"\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" *\n \"query (cache) '\"\n DnsQuery:string \"/\"\n DnsQueryTypeName:string \"/\"\n DnsQueryClassName:string \"' \"\n Action\n| extend EventSubType = \"requestcache\",DnsResponseCodeName = \"NA\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;\n// response events\nlet response =Syslog \n| where SyslogMessage has_all (\"client\", \"query:\", \"response:\")\n| parse SyslogMessage with\n * \"client \" * \" \"\n SrcIpAddr:string \"#\" \n SrcPortNumber:string \" \" * \"view \" * \": \"\n NetworkProtocol:string \": query: \"\n DnsQuery:string \" \"\n DnsQueryClassName:string \" \"\n DnsQueryTypeName:string \" \"\n \"response: \" DnsResponseCodeName: string\n \" \" DnsFlags: string\n| extend DNSResourceRecordIndex= indexof(DnsFlags, \" \")\n| extend DnsResponseName =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, DNSResourceRecordIndex), \"\")\n| extend DnsFlags =iif(DNSResourceRecordIndex != \"-1\", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)\n| extend EventSubType = \"response\"\n| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;\nunion request,requestcache,response\n",
+ "functionParameters": "",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": ""
+ }
+ ]
}
},
{
@@ -556,13 +554,20 @@
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.1",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "ISC Bind",
+ "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe ISC Bind solution for Microsoft Sentinel allows you to ingest ISC Bind logs to get better insights into your organization's network traffic data, DNS query data, traffic statistics and improves your security operation capabilities.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs
\n\nData Connectors: 1, Parsers: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
diff --git a/Solutions/ISC Bind/Parsers/ISCBind.txt b/Solutions/ISC Bind/Parsers/ISCBind.txt
deleted file mode 100644
index 582e5d4ccdd..00000000000
--- a/Solutions/ISC Bind/Parsers/ISCBind.txt
+++ /dev/null
@@ -1,65 +0,0 @@
-// Title: ISC Bind
-// Author: Microsoft
-// Version: 1.0
-// Last Updated: 09/16/2022
-// Comment: Inital Release
-//
-// DESCRIPTION:
-// This parser takes raw ISC Bind logs from a Syslog stream and parses the logs into a normalized schema.
-//
-//
-// REFERENCES:
-// Using functions in Azure monitor log queries: https://docs.microsoft.com/azure/azure-monitor/log-query/functions
-
-//request events
-let request = Syslog
-| where SyslogMessage has_all ("client", "query:") and SyslogMessage !has "response:"
-| parse SyslogMessage with
- * "client " * " "
- SrcIpAddr:string "#"
- SrcPortNumber:string " " *
- "query: "
- DnsQuery:string " "
- DnsQueryClassName:string " "
- DnsQueryTypeName:string " "
- DnsFlags:string
-| extend ServerIPAddressIndex= indexof(DnsFlags, " ")
-| extend ServerIPAddress = iif(ServerIPAddressIndex != "-1", substring(DnsFlags, ServerIPAddressIndex),"")
-| extend ServerIPAddress = replace_regex(ServerIPAddress,@"[()]","")
-| extend DnsFlags =iif(ServerIPAddressIndex != "-1", substring(DnsFlags, 0, ServerIPAddressIndex), DnsFlags)
-| extend SrcPortNumber = replace_regex(SrcPortNumber,@"[^\d]","")
-| extend EventSubType = "request",DnsResponseCodeName = "NA"
-| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,ServerIPAddressIndex;
-//request (cache) events
-let requestcache = Syslog
-| where SyslogMessage has_all ("client", "query (cache)") and SyslogMessage !has "response:"
-| parse SyslogMessage with
- * "client " * " "
- SrcIpAddr:string "#"
- SrcPortNumber:string " " *
- "query (cache) '"
- DnsQuery:string "/"
- DnsQueryTypeName:string "/"
- DnsQueryClassName:string "' "
- Action
-| extend EventSubType = "requestcache",DnsResponseCodeName = "NA"
-| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName;
-// response events
-let response =Syslog
-| where SyslogMessage has_all ("client", "query:", "response:")
-| parse SyslogMessage with
- * "client " * " "
- SrcIpAddr:string "#"
- SrcPortNumber:string " " * "view " * ": "
- NetworkProtocol:string ": query: "
- DnsQuery:string " "
- DnsQueryClassName:string " "
- DnsQueryTypeName:string " "
- "response: " DnsResponseCodeName: string
- " " DnsFlags: string
-| extend DNSResourceRecordIndex= indexof(DnsFlags, " ")
-| extend DnsResponseName =iif(DNSResourceRecordIndex != "-1", substring(DnsFlags, DNSResourceRecordIndex), "")
-| extend DnsFlags =iif(DNSResourceRecordIndex != "-1", substring(DnsFlags, 0, DNSResourceRecordIndex), DnsFlags)
-| extend EventSubType = "response"
-| project-away SyslogMessage,ProcessName,ProcessID,Facility,SeverityLevel,HostName,DNSResourceRecordIndex;
-union request,requestcache,response
\ No newline at end of file
diff --git a/Solutions/ISC Bind/ReleaseNotes.md b/Solutions/ISC Bind/ReleaseNotes.md
new file mode 100644
index 00000000000..fedd8f71d41
--- /dev/null
+++ b/Solutions/ISC Bind/ReleaseNotes.md
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 09-10-2023 | Corrected the links in the solution |
+
+
diff --git a/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inDNSEvents.yaml b/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inDNSEvents.yaml
index bb75fe43bef..de514d32b40 100644
--- a/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inDNSEvents.yaml
+++ b/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inDNSEvents.yaml
@@ -23,7 +23,7 @@ query: |
let list_tlds = ThreatIntelligenceIndicator
| where TimeGenerated > ago(ioc_lookBack)
// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)
- | where Description == 'Recorded Future - DOMAIN - C2 DNS Name'
+ | where Description == 'Recorded Future - Domains - Command and Control Activity'
| where isnotempty(DomainName)
| extend parts = split(DomainName, '.')
| extend tld = parts[(array_length(parts)-1)]
@@ -33,7 +33,7 @@ query: |
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where Active == true
// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)
- | where Description == 'Recorded Future - DOMAIN - C2 DNS Name'
+ | where Description == 'Recorded Future - Domains - Command and Control Activity'
// Picking up only IOC's that contain the entities we want
| where isnotempty(DomainName)
| join (
@@ -66,5 +66,5 @@ entityMappings:
fieldMappings:
- identifier: DomainName
columnName: DomainCustomEntity
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml b/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml
index 3b01cf134e4..a6df326b77e 100644
--- a/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml
+++ b/Solutions/Recorded Future/Analytic Rules/RecordedFutureDomainMalwareC2inSyslogEvents.yaml
@@ -23,7 +23,7 @@ query: |
let list_tlds = ThreatIntelligenceIndicator
| where TimeGenerated > ago(ioc_lookBack)
// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)
- | where Description == 'Recorded Future - DOMAIN - C2 DNS Name'
+ | where Description == 'Recorded Future - Domains - Command and Control Activity'
| where isnotempty(DomainName)
| extend parts = split(DomainName, '.')
| extend tld = parts[(array_length(parts)-1)]
@@ -33,7 +33,7 @@ query: |
| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()
| where Active == true
// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)
- | where Description == 'Recorded Future - DOMAIN - C2 DNS Name'
+ | where Description == 'Recorded Future - Domains - Command and Control Activity'
// Picking up only IOC's that contain the entities we want
| where isnotempty(DomainName)
| join (
@@ -71,5 +71,5 @@ entityMappings:
fieldMappings:
- identifier: DomainName
columnName: domain
-version: 1.0.0
+version: 1.0.1
kind: Scheduled
\ No newline at end of file
diff --git a/Solutions/Recorded Future/Data/Solution_RecordedFuture.json b/Solutions/Recorded Future/Data/Solution_RecordedFuture.json
index 41e9a9bce7c..d81c92e63c1 100644
--- a/Solutions/Recorded Future/Data/Solution_RecordedFuture.json
+++ b/Solutions/Recorded Future/Data/Solution_RecordedFuture.json
@@ -12,21 +12,32 @@
"Analytic Rules/RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents.yaml"
],
"Playbooks": [
+ "Playbooks/RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash/azuredeploy.json",
+ "Playbooks/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json",
+ "Playbooks/RecordedFuture-Playbook-Alert-Importer/azuredeploy.json",
+ "Playbooks/RecordedFuture-Alert-Importer/azuredeploy.json",
+ "Playbooks/RecordedFuture-ThreatIntelligenceImport/azuredeploy.json",
+ "Playbooks/RecordedFuture-Domain-IndicatorImport/azuredeploy.json",
+ "Playbooks/RecordedFuture-Hash-IndicatorImport/azuredeploy.json",
+ "Playbooks/RecordedFuture-IP-IndicatorImport/azuredeploy.json",
+ "Playbooks/RecordedFuture-URL-IndicatorImport/azuredeploy.json",
"Playbooks/RecordedFuture-ImportToSentinel/azuredeploy.json",
"Playbooks/RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor/azuredeploy.json",
"Playbooks/RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor/azuredeploy.json",
- "Playbooks/RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash/azuredeploy.json",
"Playbooks/RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor/azuredeploy.json",
"Playbooks/RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor/azuredeploy.json",
- "Playbooks/RecordedFuture-Ukraine-IndicatorProcessor/azuredeploy.json",
- "Playbooks/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json"
+ "Playbooks/RecordedFuture-Ukraine-IndicatorProcessor/azuredeploy.json"
],
"Workbooks": [
- "Workbooks/Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting.json",
- "Workbooks/Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting.json"
+ "Workbooks/RecordedFuturePlaybookAlertOverview.json",
+ "Workbooks/RecordedFutureAlertOverview.json",
+ "Workbooks/RecordedFutureDomainCorrelation.json",
+ "Workbooks/RecordedFutureHashCorrelation.json",
+ "Workbooks/RecordedFutureIPCorrelation.json",
+ "Workbooks/RecordedFutureURLCorrelation.json"
],
"BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\Recorded Future",
- "Version": "2.4.0",
+ "Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1Pconnector": false
diff --git a/Solutions/Recorded Future/Package/3.0.0.zip b/Solutions/Recorded Future/Package/3.0.0.zip
new file mode 100644
index 00000000000..6bcba6ff254
Binary files /dev/null and b/Solutions/Recorded Future/Package/3.0.0.zip differ
diff --git a/Solutions/Recorded Future/Package/createUiDefinition.json b/Solutions/Recorded Future/Package/createUiDefinition.json
index ca552bd5051..e3257e4df46 100644
--- a/Solutions/Recorded Future/Package/createUiDefinition.json
+++ b/Solutions/Recorded Future/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
"config": {
"isWizard": false,
"basics": {
- "description": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/RecordedFuture.svg\")
\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Recorded Future](https://www.recordedfuture.com/) is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.\n\nPlaybooks have internal dependencies to RecordedFuture-ImportToSentinel so install the RecordedFuture-ImportToSentinel playbook before any of the others. \n \n \nThis solution takes a dependency on functionality like Azure Logic Apps, Azure Monitor Logs. Some of these dependencies might result in additional ingestion or operational costs.\n\n* https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design \n* https://learn.microsoft.com/en-us/azure/logic-apps/ \n* https://learn.microsoft.com/en-us/azure/sentinel/work-with-threat-indicators \n\n\n**Workbooks:** 2, **Analytic Rules:** 6, **Playbooks:** 8\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+ "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\n[Recorded Future](https://www.recordedfuture.com/) is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.\n\nPlaybooks have internal dependencies to RecordedFuture-ImportToSentinel so install the RecordedFuture-ImportToSentinel playbook before any of the others. \n \n \nThis solution takes a dependency on functionality like Azure Logic Apps, Azure Monitor Logs. Some of these dependencies might result in additional ingestion or operational costs.\n\n* https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design \n* https://learn.microsoft.com/en-us/azure/logic-apps/ \n* https://learn.microsoft.com/en-us/azure/sentinel/work-with-threat-indicators \n\n\n**Workbooks:** 6, **Analytic Rules:** 6, **Playbooks:** 15\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
"subscription": {
"resourceProviders": [
"Microsoft.OperationsManagement/solutions",
@@ -80,13 +80,13 @@
{
"name": "workbook1",
"type": "Microsoft.Common.Section",
- "label": "Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting",
+ "label": "Recorded Future - Playbook Alerts Overview",
"elements": [
{
"name": "workbook1-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Sets the time name for DNS Events and Threat Intelligence Time Range"
+ "text": "Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer."
}
}
]
@@ -94,13 +94,69 @@
{
"name": "workbook2",
"type": "Microsoft.Common.Section",
- "label": "Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting",
+ "label": "Recorded Future - Alerts Overview",
"elements": [
{
"name": "workbook2-text",
"type": "Microsoft.Common.TextBlock",
"options": {
- "text": "Sets the time name for DNS Events and Threat Intelligence Time Range"
+ "text": "Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer."
+ }
+ }
+ ]
+ },
+ {
+ "name": "workbook3",
+ "type": "Microsoft.Common.Section",
+ "label": "Recorded Future - Domain Correlation",
+ "elements": [
+ {
+ "name": "workbook3-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel."
+ }
+ }
+ ]
+ },
+ {
+ "name": "workbook4",
+ "type": "Microsoft.Common.Section",
+ "label": "Recorded Future - Hash Correlation",
+ "elements": [
+ {
+ "name": "workbook4-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel."
+ }
+ }
+ ]
+ },
+ {
+ "name": "workbook5",
+ "type": "Microsoft.Common.Section",
+ "label": "Recorded Future - IP Correlation",
+ "elements": [
+ {
+ "name": "workbook5-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel."
+ }
+ }
+ ]
+ },
+ {
+ "name": "workbook6",
+ "type": "Microsoft.Common.Section",
+ "label": "Recorded Future - URL Correlation",
+ "elements": [
+ {
+ "name": "workbook6-text",
+ "type": "Microsoft.Common.TextBlock",
+ "options": {
+ "text": "Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel."
}
}
]
diff --git a/Solutions/Recorded Future/Package/mainTemplate.json b/Solutions/Recorded Future/Package/mainTemplate.json
index bfcd5baa8f6..4bee2ad211f 100644
--- a/Solutions/Recorded Future/Package/mainTemplate.json
+++ b/Solutions/Recorded Future/Package/mainTemplate.json
@@ -30,7 +30,7 @@
},
"workbook1-name": {
"type": "string",
- "defaultValue": "Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting",
+ "defaultValue": "Recorded Future - Playbook Alerts Overview",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
@@ -38,7 +38,39 @@
},
"workbook2-name": {
"type": "string",
- "defaultValue": "Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting",
+ "defaultValue": "Recorded Future - Alerts Overview",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ },
+ "workbook3-name": {
+ "type": "string",
+ "defaultValue": "Recorded Future - Domain Correlation",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ },
+ "workbook4-name": {
+ "type": "string",
+ "defaultValue": "Recorded Future - Hash Correlation",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ },
+ "workbook5-name": {
+ "type": "string",
+ "defaultValue": "Recorded Future - IP Correlation",
+ "minLength": 1,
+ "metadata": {
+ "description": "Name for the workbook"
+ }
+ },
+ "workbook6-name": {
+ "type": "string",
+ "defaultValue": "Recorded Future - URL Correlation",
"minLength": 1,
"metadata": {
"description": "Name for the workbook"
@@ -46,139 +78,218 @@
}
},
"variables": {
- "solutionId": "recordedfuture1605638642586.recorded_future_sentinel_solution",
- "_solutionId": "[variables('solutionId')]",
"email": "support@recordedfuture.com",
"_email": "[variables('email')]",
- "analyticRuleVersion1": "1.0.0",
+ "_solutionName": "Recorded Future",
+ "_solutionVersion": "3.0.0",
+ "solutionId": "recordedfuture1605638642586.recorded_future_sentinel_solution",
+ "_solutionId": "[variables('solutionId')]",
+ "analyticRuleVersion1": "1.0.1",
"analyticRulecontentId1": "a1c02815-4248-4728-a9ae-dac73c67db23",
"_analyticRulecontentId1": "[variables('analyticRulecontentId1')]",
"analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]",
- "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1')))]",
- "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
- "analyticRuleVersion2": "1.0.0",
+ "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]",
+ "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]",
+ "analyticRuleVersion2": "1.0.1",
"analyticRulecontentId2": "dffd068f-fdab-440e-bbc0-34c14b623c89",
"_analyticRulecontentId2": "[variables('analyticRulecontentId2')]",
"analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]",
- "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2')))]",
+ "analyticRuleTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId2'))))]",
+ "_analyticRulecontentProductId2": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId2'),'-', variables('analyticRuleVersion2'))))]",
"analyticRuleVersion3": "1.0.0",
"analyticRulecontentId3": "388e197d-ec9e-46b6-addb-947d74d2a5c4",
"_analyticRulecontentId3": "[variables('analyticRulecontentId3')]",
"analyticRuleId3": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId3'))]",
- "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3')))]",
+ "analyticRuleTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId3'))))]",
+ "_analyticRulecontentProductId3": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId3'),'-', variables('analyticRuleVersion3'))))]",
"analyticRuleVersion4": "1.0.0",
"analyticRulecontentId4": "588dc717-7583-452c-a743-dee96705898e",
"_analyticRulecontentId4": "[variables('analyticRulecontentId4')]",
"analyticRuleId4": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId4'))]",
- "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4')))]",
+ "analyticRuleTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId4'))))]",
+ "_analyticRulecontentProductId4": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId4'),'-', variables('analyticRuleVersion4'))))]",
"analyticRuleVersion5": "1.0.0",
"analyticRulecontentId5": "22cc1dff-14ad-481d-97e1-0602895e429e",
"_analyticRulecontentId5": "[variables('analyticRulecontentId5')]",
"analyticRuleId5": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId5'))]",
- "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5')))]",
+ "analyticRuleTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId5'))))]",
+ "_analyticRulecontentProductId5": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId5'),'-', variables('analyticRuleVersion5'))))]",
"analyticRuleVersion6": "1.0.0",
"analyticRulecontentId6": "9acb3664-72c4-4676-80fa-9f81912e347e",
"_analyticRulecontentId6": "[variables('analyticRulecontentId6')]",
"analyticRuleId6": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId6'))]",
- "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6')))]",
- "RecordedFuture-ImportToSentinel": "RecordedFuture-ImportToSentinel",
- "_RecordedFuture-ImportToSentinel": "[variables('RecordedFuture-ImportToSentinel')]",
- "playbookVersion1": "1.0",
- "playbookContentId1": "RecordedFuture-ImportToSentinel",
+ "analyticRuleTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId6'))))]",
+ "_analyticRulecontentProductId6": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId6'),'-', variables('analyticRuleVersion6'))))]",
+ "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
+ "_RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash": "[variables('RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash')]",
+ "playbookVersion1": "2.5",
+ "playbookContentId1": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
"_playbookContentId1": "[variables('playbookContentId1')]",
"playbookId1": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId1'))]",
- "playbookTemplateSpecName1": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1')))]",
- "RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor": "RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor",
- "_RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor": "[variables('RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor')]",
+ "playbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId1'))))]",
+ "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]",
+ "_playbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId1'),'-', variables('playbookVersion1'))))]",
+ "RecordedFuture-Sandbox_Enrichment-Url": "RecordedFuture-Sandbox_Enrichment-Url",
+ "_RecordedFuture-Sandbox_Enrichment-Url": "[variables('RecordedFuture-Sandbox_Enrichment-Url')]",
"playbookVersion2": "1.0",
- "playbookContentId2": "RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor",
+ "playbookContentId2": "RecordedFuture-Sandbox_Enrichment-Url",
"_playbookContentId2": "[variables('playbookContentId2')]",
"playbookId2": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId2'))]",
- "playbookTemplateSpecName2": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2')))]",
- "RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor": "RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor",
- "_RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor": "[variables('RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor')]",
+ "playbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId2'))))]",
+ "_playbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId2'),'-', variables('playbookVersion2'))))]",
+ "RecordedFuture-Playbook-Alert-Importer": "RecordedFuture-Playbook-Alert-Importer",
+ "_RecordedFuture-Playbook-Alert-Importer": "[variables('RecordedFuture-Playbook-Alert-Importer')]",
"playbookVersion3": "1.0",
- "playbookContentId3": "RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor",
+ "playbookContentId3": "RecordedFuture-Playbook-Alert-Importer",
"_playbookContentId3": "[variables('playbookContentId3')]",
"playbookId3": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId3'))]",
- "playbookTemplateSpecName3": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3')))]",
- "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
- "_RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash": "[variables('RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash')]",
+ "playbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId3'))))]",
+ "_playbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId3'),'-', variables('playbookVersion3'))))]",
+ "RecordedFuture-Alert-Importer": "RecordedFuture-Alert-Importer",
+ "_RecordedFuture-Alert-Importer": "[variables('RecordedFuture-Alert-Importer')]",
"playbookVersion4": "1.0",
- "playbookContentId4": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
+ "playbookContentId4": "RecordedFuture-Alert-Importer",
"_playbookContentId4": "[variables('playbookContentId4')]",
"playbookId4": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId4'))]",
- "playbookTemplateSpecName4": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4')))]",
- "RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor": "RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor",
- "_RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor": "[variables('RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor')]",
+ "playbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId4'))))]",
+ "_playbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId4'),'-', variables('playbookVersion4'))))]",
+ "RecordedFuture-ThreatIntelligenceImport": "RecordedFuture-ThreatIntelligenceImport",
+ "_RecordedFuture-ThreatIntelligenceImport": "[variables('RecordedFuture-ThreatIntelligenceImport')]",
"playbookVersion5": "1.0",
- "playbookContentId5": "RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor",
+ "playbookContentId5": "RecordedFuture-ThreatIntelligenceImport",
"_playbookContentId5": "[variables('playbookContentId5')]",
"playbookId5": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId5'))]",
- "playbookTemplateSpecName5": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5')))]",
- "RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor": "RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor",
- "_RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor": "[variables('RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor')]",
+ "playbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId5'))))]",
+ "_playbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId5'),'-', variables('playbookVersion5'))))]",
+ "RecordedFuture-Domain-IndicatorImport": "RecordedFuture-Domain-IndicatorImport",
+ "_RecordedFuture-Domain-IndicatorImport": "[variables('RecordedFuture-Domain-IndicatorImport')]",
"playbookVersion6": "1.0",
- "playbookContentId6": "RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor",
+ "playbookContentId6": "RecordedFuture-Domain-IndicatorImport",
"_playbookContentId6": "[variables('playbookContentId6')]",
"playbookId6": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId6'))]",
- "playbookTemplateSpecName6": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6')))]",
- "RecordedFuture-Ukraine-IndicatorProcessor": "RecordedFuture-Ukraine-IndicatorProcessor",
- "_RecordedFuture-Ukraine-IndicatorProcessor": "[variables('RecordedFuture-Ukraine-IndicatorProcessor')]",
+ "playbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId6'))))]",
+ "_playbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId6'),'-', variables('playbookVersion6'))))]",
+ "RecordedFuture-Hash-IndicatorImport": "RecordedFuture-Hash-IndicatorImport",
+ "_RecordedFuture-Hash-IndicatorImport": "[variables('RecordedFuture-Hash-IndicatorImport')]",
"playbookVersion7": "1.0",
- "playbookContentId7": "RecordedFuture-Ukraine-IndicatorProcessor",
+ "playbookContentId7": "RecordedFuture-Hash-IndicatorImport",
"_playbookContentId7": "[variables('playbookContentId7')]",
"playbookId7": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId7'))]",
- "playbookTemplateSpecName7": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7')))]",
- "blanks": "[replace('b', 'b', '')]",
- "RecordedFuture-Sandbox_Enrichment-Url": "RecordedFuture-Sandbox_Enrichment-Url",
- "_RecordedFuture-Sandbox_Enrichment-Url": "[variables('RecordedFuture-Sandbox_Enrichment-Url')]",
+ "playbookTemplateSpecName7": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId7'))))]",
+ "_playbookcontentProductId7": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId7'),'-', variables('playbookVersion7'))))]",
+ "RecordedFuture-IP-IndicatorImport": "RecordedFuture-IP-IndicatorImport",
+ "_RecordedFuture-IP-IndicatorImport": "[variables('RecordedFuture-IP-IndicatorImport')]",
"playbookVersion8": "1.0",
- "playbookContentId8": "RecordedFuture-Sandbox_Enrichment-Url",
+ "playbookContentId8": "RecordedFuture-IP-IndicatorImport",
"_playbookContentId8": "[variables('playbookContentId8')]",
"playbookId8": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId8'))]",
- "playbookTemplateSpecName8": "[concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8')))]",
- "TemplateEmptyArray": "[json('[]')]",
+ "playbookTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId8'))))]",
+ "_playbookcontentProductId8": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId8'),'-', variables('playbookVersion8'))))]",
+ "RecordedFuture-URL-IndicatorImport": "RecordedFuture-URL-IndicatorImport",
+ "_RecordedFuture-URL-IndicatorImport": "[variables('RecordedFuture-URL-IndicatorImport')]",
+ "playbookVersion9": "1.0",
+ "playbookContentId9": "RecordedFuture-URL-IndicatorImport",
+ "_playbookContentId9": "[variables('playbookContentId9')]",
+ "playbookId9": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId9'))]",
+ "playbookTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId9'))))]",
+ "_playbookcontentProductId9": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId9'),'-', variables('playbookVersion9'))))]",
+ "RecordedFuture-ImportToSentinel": "RecordedFuture-ImportToSentinel",
+ "_RecordedFuture-ImportToSentinel": "[variables('RecordedFuture-ImportToSentinel')]",
+ "playbookVersion10": "1.1",
+ "playbookContentId10": "RecordedFuture-ImportToSentinel",
+ "_playbookContentId10": "[variables('playbookContentId10')]",
+ "playbookId10": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId10'))]",
+ "playbookTemplateSpecName10": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId10'))))]",
+ "_playbookcontentProductId10": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId10'),'-', variables('playbookVersion10'))))]",
+ "RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor": "RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor",
+ "_RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor": "[variables('RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor')]",
+ "playbookVersion11": "1.1",
+ "playbookContentId11": "RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor",
+ "_playbookContentId11": "[variables('playbookContentId11')]",
+ "playbookId11": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId11'))]",
+ "playbookTemplateSpecName11": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId11'))))]",
+ "_playbookcontentProductId11": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId11'),'-', variables('playbookVersion11'))))]",
+ "RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor": "RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor",
+ "_RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor": "[variables('RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor')]",
+ "playbookVersion12": "1.1",
+ "playbookContentId12": "RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor",
+ "_playbookContentId12": "[variables('playbookContentId12')]",
+ "playbookId12": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId12'))]",
+ "playbookTemplateSpecName12": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId12'))))]",
+ "_playbookcontentProductId12": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId12'),'-', variables('playbookVersion12'))))]",
+ "RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor": "RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor",
+ "_RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor": "[variables('RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor')]",
+ "playbookVersion13": "1.1",
+ "playbookContentId13": "RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor",
+ "_playbookContentId13": "[variables('playbookContentId13')]",
+ "playbookId13": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId13'))]",
+ "playbookTemplateSpecName13": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId13'))))]",
+ "_playbookcontentProductId13": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId13'),'-', variables('playbookVersion13'))))]",
+ "RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor": "RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor",
+ "_RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor": "[variables('RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor')]",
+ "playbookVersion14": "1.1",
+ "playbookContentId14": "RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor",
+ "_playbookContentId14": "[variables('playbookContentId14')]",
+ "playbookId14": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId14'))]",
+ "playbookTemplateSpecName14": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId14'))))]",
+ "_playbookcontentProductId14": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId14'),'-', variables('playbookVersion14'))))]",
+ "RecordedFuture-Ukraine-IndicatorProcessor": "RecordedFuture-Ukraine-IndicatorProcessor",
+ "_RecordedFuture-Ukraine-IndicatorProcessor": "[variables('RecordedFuture-Ukraine-IndicatorProcessor')]",
+ "playbookVersion15": "1.1",
+ "playbookContentId15": "RecordedFuture-Ukraine-IndicatorProcessor",
+ "_playbookContentId15": "[variables('playbookContentId15')]",
+ "playbookId15": "[resourceId('Microsoft.Logic/workflows', variables('playbookContentId15'))]",
+ "playbookTemplateSpecName15": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pl-',uniquestring(variables('_playbookContentId15'))))]",
+ "_playbookcontentProductId15": "[concat(take(variables('_solutionId'),50),'-','pl','-', uniqueString(concat(variables('_solutionId'),'-','Playbook','-',variables('_playbookContentId15'),'-', variables('playbookVersion15'))))]",
"workbookVersion1": "1.0.0",
- "workbookContentId1": "RecordedFutureDomainC2DNSWorkbook",
+ "workbookContentId1": "RecordedFuturePlaybookAlertOverviewWorkbook",
"workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]",
- "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]",
+ "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]",
"_workbookContentId1": "[variables('workbookContentId1')]",
+ "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]",
"workbookVersion2": "1.0.0",
- "workbookContentId2": "RecordedFutureIPActiveC2Workbook",
+ "workbookContentId2": "RecordedFutureAlertOverviewWorkbook",
"workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]",
- "workbookTemplateSpecName2": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2')))]",
- "_workbookContentId2": "[variables('workbookContentId2')]"
+ "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]",
+ "_workbookContentId2": "[variables('workbookContentId2')]",
+ "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]",
+ "workbookVersion3": "1.0.1",
+ "workbookContentId3": "RecordedFutureDomainCorrelationWorkbook",
+ "workbookId3": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId3'))]",
+ "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]",
+ "_workbookContentId3": "[variables('workbookContentId3')]",
+ "_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]",
+ "workbookVersion4": "1.0.1",
+ "workbookContentId4": "RecordedFutureHashCorrelationWorkbook",
+ "workbookId4": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId4'))]",
+ "workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))))]",
+ "_workbookContentId4": "[variables('workbookContentId4')]",
+ "_workbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId4'),'-', variables('workbookVersion4'))))]",
+ "workbookVersion5": "1.0.1",
+ "workbookContentId5": "RecordedFutureIPCorrelationWorkbook",
+ "workbookId5": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId5'))]",
+ "workbookTemplateSpecName5": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId5'))))]",
+ "_workbookContentId5": "[variables('workbookContentId5')]",
+ "_workbookcontentProductId5": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId5'),'-', variables('workbookVersion5'))))]",
+ "workbookVersion6": "1.0.1",
+ "workbookContentId6": "RecordedFutureURLCorrelationWorkbook",
+ "workbookId6": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId6'))]",
+ "workbookTemplateSpecName6": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId6'))))]",
+ "_workbookContentId6": "[variables('workbookContentId6')]",
+ "_workbookcontentProductId6": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId6'),'-', variables('workbookVersion6'))))]",
+ "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]"
},
"resources": [
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Recorded Future Analytics Rule 1 with template",
- "displayName": "Recorded Future Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName1'),'/',variables('analyticRuleVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RecordedFutureDomainMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 2.4.0",
+ "description": "RecordedFutureDomainMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion1')]",
@@ -187,7 +298,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId1')]",
+ "name": "[variables('analyticRulecontentId1')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -195,7 +306,7 @@
"description": "Identifies a match in DNSEvents from Recorded Future C2 DNS Name Domains Risklist.",
"displayName": "Detection of Malware C2 Domains in DNS Events",
"enabled": false,
- "query": "// Identifies a match in DnsEvent from the Recorded Future DOMAIN Malware C2 DNS Name \nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| join (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n //Extract Domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n ) \non $left.DomainName==$right.Name\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, DomainName, Description, ConfidenceScore, AdditionalInformation, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, DomainCustomEntity = DomainName\n",
+ "query": "// Identifies a match in DnsEvent from the Recorded Future DOMAIN Malware C2 DNS Name \nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| join (\n DnsEvents\n | where TimeGenerated > ago(dt_lookBack)\n //Extract Domain patterns from syslog message\n | where isnotempty(Name)\n | extend parts = split(Name, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n ) \non $left.DomainName==$right.Name\n| where DNS_TimeGenerated >= TimeGenerated and DNS_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, DomainName, Description, ConfidenceScore, AdditionalInformation, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, DNS_TimeGenerated, Computer, ClientIP, Name, QueryType\n| extend timestamp = DNS_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = ClientIP, DomainCustomEntity = DomainName\n",
"queryFrequency": "PT1H",
"queryPeriod": "P1D",
"severity": "Medium",
@@ -217,31 +328,31 @@
],
"entityMappings": [
{
+ "entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "DNS",
"fieldMappings": [
{
"identifier": "DomainName",
"columnName": "DomainCustomEntity"
}
- ],
- "entityType": "DNS"
+ ]
}
]
}
@@ -274,37 +385,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId1')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Detection of Malware C2 Domains in DNS Events",
+ "contentProductId": "[variables('_analyticRulecontentProductId1')]",
+ "id": "[variables('_analyticRulecontentProductId1')]",
+ "version": "[variables('analyticRuleVersion1')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName2')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Recorded Future Analytics Rule 2 with template",
- "displayName": "Recorded Future Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName2'),'/',variables('analyticRuleVersion2'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName2'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RecordedFutureDomainMalwareC2inSyslogEvents_AnalyticalRules Analytics Rule with template version 2.4.0",
+ "description": "RecordedFutureDomainMalwareC2inSyslogEvents_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion2')]",
@@ -313,7 +417,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId2')]",
+ "name": "[variables('analyticRulecontentId2')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -321,7 +425,7 @@
"description": "Identifies a match in Syslog from Recorded Future C2 DNS Name Domains Risklist.",
"displayName": "Detection of Malware C2 Domains in Syslog Events",
"enabled": false,
- "query": "// Identifies a match in Syslog from the Recorded Future DOMAIN Malware C2 DNS Name \nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| join (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) \non $left.DomainName==$right.domain\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n",
+ "query": "// Identifies a match in Syslog from the Recorded Future DOMAIN Malware C2 DNS Name \nlet dt_lookBack = 1h;\nlet ioc_lookBack = 1d;\n//Create a list of TLDs in our threat feed for later validation\nlet list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated > ago(ioc_lookBack)\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n| where isnotempty(DomainName)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated >= ago(ioc_lookBack) and ExpirationDateTime > now()\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == 'Recorded Future - Domains - Command and Control Activity'\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| join (\n Syslog\n | where TimeGenerated > ago(dt_lookBack)\n //Extract domain patterns from syslog message\n | extend domain = extract(\"(([a-z0-9]+(-[a-z0-9]+)*\\\\.)+[a-z]{2,})\",1, tolower(SyslogMessage))\n | where isnotempty(domain)\n | extend parts = split(domain, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend Syslog_TimeGenerated = TimeGenerated\n ) \non $left.DomainName==$right.domain\n| where Syslog_TimeGenerated >= TimeGenerated and Syslog_TimeGenerated < ExpirationDateTime\n| summarize LatestIndicatorTime = arg_max(TimeGenerated, *) by IndicatorId\n| project LatestIndicatorTime, Description, ActivityGroupNames, IndicatorId, ThreatType, ExpirationDateTime, ConfidenceScore, Syslog_TimeGenerated, SyslogMessage, Computer, ProcessName, domain, HostIP, Url\n| extend timestamp = Syslog_TimeGenerated, HostCustomEntity = Computer, IPCustomEntity = HostIP, URLCustomEntity = Url\n",
"queryFrequency": "PT1H",
"queryPeriod": "P1D",
"severity": "Medium",
@@ -343,40 +447,40 @@
],
"entityMappings": [
{
+ "entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "URLCustomEntity"
}
- ],
- "entityType": "URL"
+ ]
},
{
+ "entityType": "DNS",
"fieldMappings": [
{
"identifier": "DomainName",
"columnName": "domain"
}
- ],
- "entityType": "DNS"
+ ]
}
]
}
@@ -409,37 +513,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId2')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Detection of Malware C2 Domains in Syslog Events",
+ "contentProductId": "[variables('_analyticRulecontentProductId2')]",
+ "id": "[variables('_analyticRulecontentProductId2')]",
+ "version": "[variables('analyticRuleVersion2')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName3')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Recorded Future Analytics Rule 3 with template",
- "displayName": "Recorded Future Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName3'),'/',variables('analyticRuleVersion3'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName3'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog_AnalyticalRules Analytics Rule with template version 2.4.0",
+ "description": "RecordedFutureHashObservedInUndergroundinCommonSecurityLog_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion3')]",
@@ -448,7 +545,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId3')]",
+ "name": "[variables('analyticRulecontentId3')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -481,40 +578,40 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "URLCustomEntity"
}
- ],
- "entityType": "URL"
+ ]
}
]
}
@@ -547,37 +644,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId3')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Detection of Specific Hashes in CommonSecurityLog",
+ "contentProductId": "[variables('_analyticRulecontentProductId3')]",
+ "id": "[variables('_analyticRulecontentProductId3')]",
+ "version": "[variables('analyticRuleVersion3')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName4')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Recorded Future Analytics Rule 4 with template",
- "displayName": "Recorded Future Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName4'),'/',variables('analyticRuleVersion4'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName4'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RecordedFutureIPMalwareC2inAzureActivityEvents_AnalyticalRules Analytics Rule with template version 2.4.0",
+ "description": "RecordedFutureIPMalwareC2inAzureActivityEvents_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion4')]",
@@ -586,7 +676,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId4')]",
+ "name": "[variables('analyticRulecontentId4')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -616,40 +706,40 @@
],
"entityMappings": [
{
+ "entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
- ],
- "entityType": "Account"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "URLCustomEntity"
}
- ],
- "entityType": "URL"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "TI_ipEntity"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -682,37 +772,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId4')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Detection of Malware C2 IPs in Azure Act. Events",
+ "contentProductId": "[variables('_analyticRulecontentProductId4')]",
+ "id": "[variables('_analyticRulecontentProductId4')]",
+ "version": "[variables('analyticRuleVersion4')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName5')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Recorded Future Analytics Rule 5 with template",
- "displayName": "Recorded Future Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName5'),'/',variables('analyticRuleVersion5'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName5'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RecordedFutureIPMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 2.4.0",
+ "description": "RecordedFutureIPMalwareC2inDNSEvents_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion5')]",
@@ -721,7 +804,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId5')]",
+ "name": "[variables('analyticRulecontentId5')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -751,40 +834,40 @@
],
"entityMappings": [
{
+ "entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "URLCustomEntity"
}
- ],
- "entityType": "URL"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "TI_ipEntity"
}
- ],
- "entityType": "IP"
+ ]
}
]
}
@@ -817,37 +900,30 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId5')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Detection of Malware C2 IPs in DNS Events",
+ "contentProductId": "[variables('_analyticRulecontentProductId5')]",
+ "id": "[variables('_analyticRulecontentProductId5')]",
+ "version": "[variables('analyticRuleVersion5')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('analyticRuleTemplateSpecName6')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
- "properties": {
- "description": "Recorded Future Analytics Rule 6 with template",
- "displayName": "Recorded Future Analytics Rule template"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('analyticRuleTemplateSpecName6'),'/',variables('analyticRuleVersion6'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "AnalyticsRule"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('analyticRuleTemplateSpecName6'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents_AnalyticalRules Analytics Rule with template version 2.4.0",
+ "description": "RecordedFutureUrlReportedbyInsiktGroupinSyslogEvents_AnalyticalRules Analytics Rule with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('analyticRuleVersion6')]",
@@ -856,7 +932,7 @@
"resources": [
{
"type": "Microsoft.SecurityInsights/AlertRuleTemplates",
- "name": "[variables('AnalyticRulecontentId6')]",
+ "name": "[variables('analyticRulecontentId6')]",
"apiVersion": "2022-04-01-preview",
"kind": "Scheduled",
"location": "[parameters('workspace-location')]",
@@ -886,31 +962,31 @@
],
"entityMappings": [
{
+ "entityType": "Host",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "HostCustomEntity"
}
- ],
- "entityType": "Host"
+ ]
},
{
+ "entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
- ],
- "entityType": "IP"
+ ]
},
{
+ "entityType": "URL",
"fieldMappings": [
{
"identifier": "Url",
"columnName": "URLCustomEntity"
}
- ],
- "entityType": "URL"
+ ]
}
]
}
@@ -943,50 +1019,46 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_analyticRulecontentId6')]",
+ "contentKind": "AnalyticsRule",
+ "displayName": "Detection of Malicious URLs in Syslog Events",
+ "contentProductId": "[variables('_analyticRulecontentProductId6')]",
+ "id": "[variables('_analyticRulecontentProductId6')]",
+ "version": "[variables('analyticRuleVersion6')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
"name": "[variables('playbookTemplateSpecName1')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RecordedFuture-ImportToSentinel playbook",
- "displayName": "RecordedFuture-ImportToSentinel playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('playbookTemplateSpecName1'),'/',variables('playbookVersion1'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RecordedFuture-ImportToSentinel Playbook with template version 2.4.0",
+ "description": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "[variables('playbookVersion1')]",
"parameters": {
"PlaybookName": {
- "type": "string",
- "defaultValue": "RecordedFuture-ImportToSentinel"
+ "defaultValue": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
+ "type": "string"
}
},
"variables": {
- "GraphSecurityConnectionName": "[[concat('microsoftgraphsecurity-', parameters('PlaybookName'))]",
- "connection-2": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/microsoftgraphsecurity')]",
+ "RecordedFutureConnectionName": "recordedfuture-connectorv2",
+ "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]",
+ "connection-2": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]",
"_connection-2": "[[variables('connection-2')]",
+ "connection-3": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]",
+ "_connection-3": "[[variables('connection-3')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
@@ -997,807 +1069,162 @@
"apiVersion": "2019-05-01",
"name": "[[parameters('PlaybookName')]",
"location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "hidden-SentinelTemplateVersion": "2.5",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
"dependsOn": [
- "[[resourceId('Microsoft.Web/connections', variables('GraphSecurityConnectionName'))]"
+ "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
+ "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]"
],
"properties": {
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
"actions": {
- "Select": {
- "inputs": {
- "from": "@triggerBody()['items']",
- "select": "@item()['content']"
- },
- "type": "Select"
- },
- "Submit_multiple_tiIndicators": {
- "inputs": {
- "body": {
- "value": "@body('Select')"
- },
- "host": {
- "connection": {
- "name": "@parameters('$connections')['microsoftgraphsecurity']['connectionId']"
- }
- },
- "method": "post",
- "path": "/beta/security/tiIndicators/submitTiIndicators"
- },
- "runAfter": {
- "Select": [
- "Succeeded"
- ]
- },
- "type": "ApiConnection"
- }
- },
- "contentVersion": "1.0.0.0",
- "parameters": {
- "$connections": {
- "type": "Object"
- }
- },
- "triggers": {
- "Batch_messages": {
- "inputs": {
- "configurations": {
- "RFImportToSentinel": {
- "releaseCriteria": {
- "messageCount": 100,
- "recurrence": {
- "frequency": "Minute",
- "interval": 10
- }
+ "For_each": {
+ "actions": {
+ "Parse_JSON_2": {
+ "inputs": {
+ "content": "@items('For_each')",
+ "schema": {
+ "properties": {
+ "id": {
+ "type": "string"
+ },
+ "kind": {
+ "type": "string"
+ },
+ "properties": {
+ "type": "object"
+ },
+ "type": {
+ "type": "string"
+ }
+ },
+ "type": "object"
}
- }
+ },
+ "type": "ParseJson"
},
- "mode": "Inline"
- },
- "type": "Batch"
- }
- }
- },
- "parameters": {
- "$connections": {
- "value": {
- "microsoftgraphsecurity": {
- "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/microsoftgraphsecurity')]",
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('GraphSecurityConnectionName'))]",
- "connectionName": "[[variables('GraphSecurityConnectionName')]"
- }
- }
- }
- }
- },
- "tags": {
- "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
- }
- },
- {
- "type": "Microsoft.Web/connections",
- "apiVersion": "2016-06-01",
- "location": "[[variables('workspace-location-inline')]",
- "name": "[[variables('GraphSecurityConnectionName')]",
- "properties": {
- "api": {
- "id": "[[variables('_connection-2')]"
- }
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]",
- "properties": {
- "parentId": "[variables('playbookId1')]",
- "contentId": "[variables('_playbookContentId1')]",
- "kind": "Playbook",
- "version": "[variables('playbookVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "Recorded Future",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Recorded Future Premier Integrations",
- "email": "[variables('_email')]"
- },
- "support": {
- "name": "Recorded Future Support Team",
- "email": "support@recordedfuture.com",
- "tier": "Partner",
- "link": "http://support.recordedfuture.com/"
- }
- }
- }
- ],
- "metadata": {
- "title": "RecordedFuture-ImportToSentinel",
- "description": "This playbook is purposed to listen (via batching mechanism provided by Microsoft Azure) for incoming messages from the IndicatorProcessor Playbooks and create submit the indicators for creation",
- "postDeployment": [
- "After deployment you have to open the playbook to configure all connections and press save."
- ],
- "prerequisites": [
- "None"
- ],
- "lastUpdateTime": "2022-08-01T00:00:00Z",
- "tags": [
- "Threat Intelligence"
- ],
- "releaseNotes": [
- {
- "version": "1.0.0",
- "title": "RecordedFuture-ImportToSentinel",
- "notes": [
- "Initial version"
- ]
- }
- ]
- }
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('playbookTemplateSpecName2')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor playbook",
- "displayName": "RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor playbook"
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('playbookTemplateSpecName2'),'/',variables('playbookVersion2'))]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName2'))]"
- ],
- "properties": {
- "description": "RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor Playbook with template version 2.4.0",
- "mainTemplate": {
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion2')]",
- "parameters": {
- "PlaybookName": {
- "defaultValue": "RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor",
- "type": "String"
- },
- "PlaybookNameBatching": {
- "defaultValue": "RecordedFuture-ImportToSentinel",
- "type": "String"
- }
- },
- "variables": {
- "RecordedFutureConnectionName": "recordedfuture-connectorv2",
- "connection-2": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]",
- "_connection-2": "[[variables('connection-2')]",
- "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
- "workspace-name": "[parameters('workspace')]",
- "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
- },
- "resources": [
- {
- "type": "Microsoft.Logic/workflows",
- "apiVersion": "2019-05-01",
- "name": "[[parameters('PlaybookName')]",
- "location": "[[variables('workspace-location-inline')]",
- "dependsOn": [
- "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]"
- ],
- "properties": {
- "definition": {
- "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
- "actions": {
- "For_each": {
- "actions": {
- "Parse_JSON": {
- "inputs": {
- "content": "@items('For_each')",
- "schema": {
- "properties": {
- "EvidenceDetails": {
- "properties": {
- "EvidenceDetails": {
- "items": {
- "properties": {
- "Criticality": {
- "type": "integer"
- },
- "CriticalityLabel": {
- "type": "string"
- },
- "EvidenceString": {
- "type": "string"
- },
- "Rule": {
- "type": "string"
- },
- "Timestamp": {
- "type": "integer"
- }
- },
- "required": [
- "Rule",
- "EvidenceString",
- "CriticalityLabel",
- "Timestamp",
- "Criticality"
- ],
- "type": "object"
- },
- "type": "array"
- }
+ "Switch": {
+ "cases": {
+ "Case": {
+ "actions": {
+ "Add_comment_to_incident_(V3)_-_Domain": {
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "@{body('Domain_Enrichment')?['data']?['html_response']}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" }, - "type": "object" + "runAfter": { + "Domain_Enrichment": [ + "Succeeded" + ] + }, + "type": "ApiConnection" }, - "Name": { - "type": "string" + "Add_comment_to_incident_(V3)_4": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Recorded%20Future/Playbooks/RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash/images/RecordedFuture.png\")
\nNo Recorded Future data on @{body('Parse_JSON_-_DNS_Resolution')?['domainName']}
\nRequest Data Collection In The Recorded Future Portal
@{body('Hash_Enrichment')?['data']?['html_response']}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" }, - "type": "object" - }, - "Name": { - "type": "string" - }, - "Risk": { - "type": "integer" + "runAfter": { + "Hash_Enrichment": [ + "Succeeded" + ] + }, + "type": "ApiConnection" }, - "riskString": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" - }, - "RecordedFuture-ImportToSentinel": { - "inputs": { - "batchName": "RFImportToSentinel", - "content": { - "action": "alert", - "additionalInformation": "@{body('Parse_JSON')?['EvidenceDetails']}", - "azureTenantId": "[[subscription().tenantId]", - "confidence": "@int(body('Parse_JSON')?['Risk'])", - "description": "Recorded Future - HASH - Observed in Underground Virus Testing Sites", - "expirationDateTime": "@{addDays(utcNow(),1)}", - "fileHashType": "unknown", - "fileHashValue": "@{body('Parse_JSON')?['Name']}", - "ingestedDateTime": "@{utcNow()}", - "targetProduct": "Azure Sentinel", - "threatType": "Malware", - "tlpLevel": "amber" - }, - "host": { - "triggerName": "Batch_messages", - "workflow": { - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" - } - } - }, - "runAfter": { - "Parse_JSON": [ - "Succeeded" - ] - }, - "type": "SendToBatch" - } - }, - "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", - "runAfter": { - "Recorded_Future_RiskLists_and_SCF_Download": [ - "Succeeded" - ] - }, - "type": "Foreach" - }, - "Recorded_Future_RiskLists_and_SCF_Download": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/fusion/files", - "queries": { - "path": "/public/MicrosoftAzure/hash_observed_testing.json" - } - }, - "type": "ApiConnection" - } - }, - "contentVersion": "1.0.0.0", - "parameters": { - "$connections": { - "type": "Object" - } - }, - "triggers": { - "Recurrence": { - "recurrence": { - "frequency": "Day", - "interval": 1 - }, - "type": "Recurrence" - } - } - }, - "parameters": { - "$connections": { - "value": { - "recordedfuture": { - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]", - "connectionName": "[[variables('RecordedFutureConnectionName')]" - } - } - } - } - }, - "tags": { - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedFutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "api": { - "id": "[[variables('_connection-2')]" - } - } - }, - { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", - "properties": { - "parentId": "[variables('playbookId3')]", - "contentId": "[variables('_playbookContentId3')]", - "kind": "Playbook", - "version": "[variables('playbookVersion3')]", - "source": { - "kind": "Solution", - "name": "Recorded Future", - "sourceId": "[variables('_solutionId')]" - }, - "author": { - "name": "Recorded Future Premier Integrations", - "email": "[variables('_email')]" - }, - "support": { - "name": "Recorded Future Support Team", - "email": "support@recordedfuture.com", - "tier": "Partner", - "link": "http://support.recordedfuture.com/" - } - } - } - ], - "metadata": { - "title": "RecordedFuture-HASH-Obs_in_Underground-TIProcessor", - "description": "This playbook leverages the Recorded Future API and automatically imports the Observed in Underground Virus Testing Sites Hash RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.", - "prerequisites": [ - "First install the RecordedFuture-ImportToSentinel playbook.", - "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials" - ], - "postDeployment": [ - "After deployment you have to open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2022-08-01T00:00:00Z", - "tags": [ - "Threat Intelligence" - ], - "releaseNotes": [ - { - "version": "1.0.0", - "title": "RecordedFuture-HASH-Obs_in_Underground-TIProcessor", - "notes": [ - "Initial version" - ] - } - ] - } - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", - "name": "[variables('playbookTemplateSpecName4')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "properties": { - "description": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash playbook", - "displayName": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash playbook" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('playbookTemplateSpecName4'),'/',variables('playbookVersion4'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Playbook" - }, - "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName4'))]" - ], - "properties": { - "description": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash Playbook with template version 2.4.0", - "mainTemplate": { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('playbookVersion4')]", - "parameters": { - "PlaybookName": { - "defaultValue": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash", - "type": "string" - } - }, - "variables": { - "RecordedFutureConnectionName": "recordedfuture-connectorv2", - "AzureSentinelConnectionName": "[[concat('azuresentinel-', parameters('PlaybookName'))]", - "connection-2": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", - "_connection-2": "[[variables('connection-2')]", - "connection-3": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]", - "_connection-3": "[[variables('connection-3')]", - "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", - "workspace-name": "[parameters('workspace')]", - "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" - }, - "resources": [ - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", - "name": "[[parameters('PlaybookName')]", - "location": "[[variables('workspace-location-inline')]", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]" - ], - "properties": { - "definition": { - "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", - "actions": { - "For_each": { - "actions": { - "Parse_JSON_2": { - "inputs": { - "content": "@items('For_each')", - "schema": { - "properties": { - "id": { - "type": "string" - }, - "kind": { - "type": "string" - }, - "properties": { - "type": "object" - }, - "type": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" - }, - "Switch": { - "cases": { - "Case": { - "actions": { - "Add_comment_to_incident_(V3)_-_Domain": { - "inputs": { - "body": { - "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "
\nEnrichmed Domain: @{body('Parse_JSON_-_DNS_Resolution')?['domainName']}
\nRisk Score: @{body('Domain_Enrichment')?['data']?['risk']?['score']} of 99
\n@{concat('Open IOC Intelligence Card (Portal)
')}
\nInfrastructure Detections: @{body('Domain_Observed_ioc_HTML_table')}
\nRisk Rules: @{body('Domain_Evidence_Details_HTML_table')}
\nTechnical Links: @{body('Domain_Technical_Links_HTML_table')}
\nResearch Links: @{body('Domain_Research_Links_HTML_table')}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "Domain_Observed_ioc_HTML_table": [ - "Succeeded" - ] - }, - "type": "ApiConnection" - }, - "Add_comment_to_incident_(V3)_4": { + "Add_comment_to_incident_(V3)_3": { "inputs": { "body": { "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "
\nNo Recorded Future data on @{body('Parse_JSON_-_DNS_Resolution')?['domainName']}
\nRequest Data Collection In The Recorded Future Portal
\nNo Recorded Future data on @{body('Parse_JSON_-_File_Hash')?['hashValue']}
\nRequest Data Collection In The Recorded Future Portal
\nEnriched Hash: @{body('Parse_JSON_-_File_Hash')?['hashValue']}
\nRisk Score: @{body('Hash_Enrichment')?['data']?['risk']?['score']} of 99
\n@{concat('Open Intelligence Card (Portal)
')}
\nInfrastructure Detections: @{body('Hash_Observed_ioc_HTML_table')}
\nRisk Rules: @{body('Hash_Evidence_Details_HTML_table')}
\nTechnical Links: @{body('Hash_Technical_Links_HTML_table')}
\nResearch Links: @{body('Hash_Research_Links_HTML_table')}" + "message": "
@{body('URL_Enrichment')?['data']?['html_response']}
" }, "host": { "connection": { @@ -1987,17 +1306,17 @@ "path": "/Incidents/Comment" }, "runAfter": { - "Hash_Observed_ioc_HTML_table": [ + "URL_Enrichment": [ "Succeeded" ] }, "type": "ApiConnection" }, - "Add_comment_to_incident_(V3)_3": { + "Add_comment_to_incident_(V3)_2": { "inputs": { "body": { "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "
\nNo Recorded Future data on @{body('Parse_JSON_-_File_Hash')?['hashValue']}
\nRequest Data Collection In The Recorded Future Portal
\nNo Recorded Future data on @{body('Parse_JSON_-_Url')?['url']}
\nRequest Data Collection In The Recorded Future Portal
![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Recorded%20Future/Playbooks/RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash/images/RecordedFuture.png\"/)
\nEnriched URL: @{replace(body('Parse_JSON_-_Url')?['url'], '.', '[.]')}
\nRisk Score: @{body('URL_Enrichment')?['data']?['risk']?['score']} of 99@{concat('
')}
\nInfrastructure Detections: @{body('Url_Observed_ioc_HTML_table')}
\nRisk Rules: @{body('URL_Evidence_Details_HTML_table')}
\nTechnical Links: @{body('URL_Technical_Links_HTML_table')}
\nResearch Links: @{body('URL_Research_Links_HTML_table')}" + "message": "
\nNo Recorded Future data on @{body('Parse_JSON_-_Ip')?['address']}
\nRequest Data Collection In The Recorded Future Portal
\nNo Recorded Future data on @{body('Parse_JSON_-_Url')?['url']}
\nRequest Data Collection In The Recorded Future Portal
@{body('IP_Enrichment')?['data']?['html_response']}
" }, "host": { "connection": { @@ -2211,30 +1416,13 @@ "path": "/Incidents/Comment" }, "runAfter": { - "Add_comment_to_incident_(V3)_-_URL": [ - "SKIPPED" + "IP_Enrichment": [ + "Succeeded" ] }, "type": "ApiConnection" }, - "Parse_JSON_-_Url": { - "inputs": { - "content": "@body('Parse_JSON_2')?['properties']", - "schema": { - "properties": { - "friendlyName": { - "type": "string" - }, - "url": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" - }, - "URL_Enrichment": { + "IP_Enrichment": { "inputs": { "host": { "connection": { @@ -2242,463 +1430,2947 @@ } }, "method": "get", - "path": "/lookup/url/@{encodeURIComponent(body('Parse_JSON_-_Url')?['url'])}", + "path": "/lookup/ip/@{encodeURIComponent(body('Parse_JSON_-_Ip')?['address'])}", "queries": { "IntelligenceCloud": "@parameters('IntelligenceCloud')", "RFIncidentId": "@variables('RFIncidentId')", "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", - "fields": "intelCard,risk,links" + "fields": "intelCard,risk,links", + "htmlresponse": "True" } }, "runAfter": { - "Parse_JSON_-_Url": [ + "Parse_JSON_-_Ip": [ "Succeeded" ] }, "type": "ApiConnection" }, - "URL_Evidence_Details_HTML_table": { + "Parse_JSON_-_Ip": { "inputs": { - "columns": [ - { - "header": "Risk_Rules", - "value": "@item()?['rule']" - }, - { - "header": "Severity", - "value": "@item()?['criticalityLabel']" + "content": "@body('Parse_JSON_2')?['properties']", + "schema": { + "properties": { + "address": { + "type": "string" + }, + "friendlyName": { + "type": "string" + } }, - { - "header": "Evidence_Details", - "value": "@item()?['evidenceString']" - } - ], - "format": "HTML", - "from": "@body('URL_Enrichment')?['data']?['risk']?['evidenceDetails']" - }, - "runAfter": { - "URL_Enrichment": [ - "Succeeded" - ] + "type": "object" + } }, - "type": "Table" - }, - "URL_Research_Links_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Entity", - "value": "@replace(item()?['name'],'.','[.]')" - }, - { - "header": "Entity_Type", - "value": "@item()?['type']" - }, - { - "header": "Category", - "value": "@item()?['category']" - }, - { - "header": "Risk_Score", - "value": "@item()?['score']" - } - ], - "format": "HTML", - "from": "@if(empty(body('URL_Enrichment')?['data']?['links']?['research']),variables('EmptyArray'),body('URL_Enrichment')?['data']?['links']?['research']?['entities'])" - }, - "runAfter": { - "URL_Technical_Links_HTML_table": [ - "Succeeded" + "type": "ParseJson" + } + }, + "case": "Ip" + } + }, + "expression": "@body('Parse_JSON_2')?['kind']", + "runAfter": { + "Parse_JSON_2": [ + "Succeeded" + ] + }, + "type": "Switch" + } + }, + "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "runAfter": { + "RFIncidentId": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "RFIncidentId": { + "inputs": { + "variables": [ + { + "name": "RFIncidentId", + "type": "string", + "value": "@{guid()}" + } + ] + }, + "type": "InitializeVariable" + } + }, + "contentVersion": "1.0.0.0", + "parameters": { + "IntelligenceCloud": { + "defaultValue": true, + "type": "Bool" + }, + "$connections": { + "type": "Object" + } + }, + "triggers": { + "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + }, + "type": "ApiConnectionWebhook" + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", + "connectionName": "[[variables('AzureSentinelConnectionName')]" + }, + "recordedfuture": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]", + "connectionName": "[[variables('RecordedFutureConnectionName')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedFutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId1'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId1')]", + "contentId": "[variables('_playbookContentId1')]", + "kind": "Playbook", + "version": "[variables('playbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash", + "description": "This playbook leverages the Recorded Future API to enrich IP, Domain, Url & Hash indicators, found in Microsoft Sentinel incidents, with the following context: Risk Score, Risk Rules and Link to Intelligence Card. The enrichment content will be posted as a comment in the Microsoft Sentinel incident![\"Microsoft](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Recorded%20Future/Playbooks/RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash/images/EnrichmentExampleDark.png\"/)
.",
+ "prerequisites": [
+ "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials"
+ ],
+ "postDeployment": [
+ "After deployment open the playbook in edit mode and configure/authorize all connections and press save.![\"Logic](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Solutions/Recorded%20Future/Playbooks/RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash/images/LogicAppDark.png\")
"
+ ],
+ "lastUpdateTime": "2023-03-08T00:00:00Z",
+ "entities": [
+ "ip",
+ "url",
+ "dnsresolution",
+ "filehash"
+ ],
+ "tags": [
+ "Enrichment"
+ ],
+ "releaseNotes": [
+ {
+ "version": "1.0",
+ "title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
+ "notes": [
+ "Initial version"
+ ]
+ },
+ {
+ "version": "1.1",
+ "title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
+ "notes": [
+ "Improved layout and added Recorded Future Collective Insights."
+ ]
+ },
+ {
+ "version": "1.2",
+ "title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
+ "notes": [
+ "Fixed risk rule severity and correct image url."
+ ]
+ },
+ {
+ "version": "2.3",
+ "title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
+ "notes": [
+ "Updated readme and improved layout."
+ ]
+ },
+ {
+ "version": "2.4",
+ "title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
+ "notes": [
+ "Handle 404 result from enrichment."
+ ]
+ },
+ {
+ "version": "2.5",
+ "title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
+ "notes": [
+ "Backend rendered markdown/html to increse performance and reduce cost of enrichment."
+ ]
+ }
+ ]
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId1')]",
+ "contentKind": "Playbook",
+ "displayName": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
+ "contentProductId": "[variables('_playbookcontentProductId1')]",
+ "id": "[variables('_playbookcontentProductId1')]",
+ "version": "[variables('playbookVersion1')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName2')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "RecordedFuture-Sandbox_Enrichment-Url Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion2')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "RecordedFuture-Sandbox_Enrichment-Url",
+ "type": "string"
+ },
+ "Sandbox API Key": {
+ "type": "string",
+ "metadata": {
+ "description": "Enter value for Sandbox API Key. Retrive API Key from [Recorded Future Portal](https://sandbox.recordedfuture.com/account)"
+ }
+ }
+ },
+ "variables": {
+ "RecordedfutureConnectionName": "[[concat('', parameters('PlaybookName'))]",
+ "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
+ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/recordedfuturesandbo')]",
+ "_connection-2": "[[variables('connection-2')]",
+ "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
+ "_connection-3": "[[variables('connection-3')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ },
+ "Sandbox API Key": {
+ "defaultValue": "[[parameters('Sandbox API Key')]",
+ "type": "string"
+ }
+ },
+ "triggers": {
+ "Microsoft_Sentinel_incident": {
+ "type": "ApiConnectionWebhook",
+ "inputs": {
+ "body": {
+ "callback_url": "@{listCallbackUrl()}"
+ },
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "path": "/incident-creation"
+ }
+ }
+ },
+ "actions": {
+ "Entities_-_Get_URLs": {
+ "type": "ApiConnection",
+ "inputs": {
+ "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['azuresentinel']['connectionId']"
+ }
+ },
+ "method": "post",
+ "path": "/entities/url"
+ }
+ },
+ "For_each": {
+ "foreach": "@body('Entities_-_Get_URLs')?['URLs']",
+ "actions": {
+ "Add_comment_to_incident_(V3)": {
+ "runAfter": {
+ "Get_the_full_report": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@triggerBody()?['object']?['id']",
+ "message": "@{body('Get_the_full_report')?['html_report']}
" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + } + }, + "Get_the_full_report": { + "runAfter": { + "Wait_for_sandbox_report": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "headers": { + "SandboxToken": "@parameters('Sandbox API Key')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" + } + }, + "method": "get", + "path": "/samples/@{encodeURIComponent(body('Get_the_full_summary')?['id'])}/overview.json" + } + }, + "Initialize_Sandbox_status": { + "runAfter": { + "Submit_url_samples": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "sandbox_status", + "value": "@body('Submit_url_samples')?['status']" + } + }, + "Submit_url_samples": { + "type": "ApiConnection", + "inputs": { + "body": { + "url": "@items('For_each')?['Url']" + }, + "headers": { + "Content-Type": "application/json", + "SandboxToken": "@parameters('Sandbox API Key')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" + } + }, + "method": "post", + "path": "/samples/url" + } + }, + "Wait_for_sandbox_report": { + "actions": { + "Delay": { + "runAfter": { + "Set_sandbox_status": [ + "Succeeded" + ] + }, + "type": "Wait", + "inputs": { + "interval": { + "count": 2, + "unit": "Minute" + } + } + }, + "Get_the_full_summary": { + "type": "ApiConnection", + "inputs": { + "headers": { + "SandboxToken": "@parameters('Sandbox API Key')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" + } + }, + "method": "get", + "path": "/samples/@{encodeURIComponent(body('Submit_url_samples')?['id'])}" + } + }, + "Set_sandbox_status": { + "runAfter": { + "Get_the_full_summary": [ + "Succeeded" + ] + }, + "type": "SetVariable", + "inputs": { + "name": "sandbox_status", + "value": "@body('Get_the_full_summary')?['status']" + } + } + }, + "runAfter": { + "Initialize_Sandbox_status": [ + "Succeeded" + ] + }, + "expression": "@equals(variables('sandbox_status'), 'reported')", + "limit": { + "count": 60, + "timeout": "PT1H" + }, + "type": "Until" + } + }, + "runAfter": { + "Define_sandbox_status": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Define_sandbox_status": { + "runAfter": { + "Entities_-_Get_URLs": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "sandbox_status", + "type": "string" + } + ] + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "recordedfuturesandbo": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionName": "recordedfuturesandbo", + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/recordedfuturesandbo')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-Sandbox_Enrichment-Url", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedfutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedfutureConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('MicrosoftSentinelConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('MicrosoftSentinelConnectionName')]", + "parameterValueType": "Alternative", + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId2'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId2')]", + "contentId": "[variables('_playbookContentId2')]", + "kind": "Playbook", + "version": "[variables('playbookVersion2')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-Sandbox_Enrichment-Url", + "description": "This playbook will enrich url entities in an incident and send them to Recorded Future Sandbox. The result will be written as a incident comment.", + "prerequisites": "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials", + "postDeployment": [ + "After deployment you have to open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2023-03-24T00:00:00Z", + "entities": [ + "url" + ], + "tags": [ + "Enrichment" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-Sandbox_Enrichment-Url", + "notes": [ + "Initial version" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId2')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-Sandbox_Enrichment-Url", + "contentProductId": "[variables('_playbookcontentProductId2')]", + "id": "[variables('_playbookcontentProductId2')]", + "version": "[variables('playbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-Playbook-Alert-Importer Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion3')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-Playbook-Alert-Importer", + "type": "string" + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + "RecordedFutureConnectionName": "recordedfuture-connectorv2", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", + "_connection-3": "[[variables('connection-3')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Search_Playbook_Alerts')", + "actions": { + "Get_Playbook_Alert_by_ID": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" + } + }, + "method": "get", + "path": "/playbook-alert/@{encodeURIComponent(items('For_each')?['playbook_alert_id'])}" + } + }, + "Send_Data": { + "runAfter": { + "Get_Playbook_Alert_by_ID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "{\n\"title\": \"@{body('Get_Playbook_Alert_by_ID')?['title']}\",\n\"id\": \"@{body('Get_Playbook_Alert_by_ID')?['id']}\",\n\"category\":\"@{body('Get_Playbook_Alert_by_ID')?['category']}\",\n\"rule_label\":\"@{body('Get_Playbook_Alert_by_ID')?['rule_label']}\",\n\"status\": \"@{body('Get_Playbook_Alert_by_ID')?['status']}\", \n\"priority\": \"@{body('Get_Playbook_Alert_by_ID')?['priority']}\",\n\"created_date\": \"@{body('Get_Playbook_Alert_by_ID')?['created_date']}\",\n\"updated_date\": \"@{body('Get_Playbook_Alert_by_ID')?['updated_date']}\",\n\"targets\":\"@{body('Get_Playbook_Alert_by_ID')?['targets']}\",\n\"evidence_summary\": \"@{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}\",\n\"link\": \"@{body('Get_Playbook_Alert_by_ID')?['link']}\"\n}", + "headers": { + "Log-Type": "RecordedFuturePlaybookAlerts" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Search_Playbook_Alerts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Search_Playbook_Alerts": { + "type": "ApiConnection", + "inputs": { + "body": { + "categories": [ + "domain_abuse", + "cyber_vulnerability", + "code_repo_leakage" + ], + "created_from_relative": "-1" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" + } + }, + "method": "post", + "path": "/playbook-alert/search" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]" + }, + "recordedfuturev2": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]", + "connectionName": "[[variables('RecordedFutureConnectionName')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "PlaybookAlert-Import", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('AzureloganalyticsdatacollectorConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedFutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "properties": { + "api": { + "id": "[[variables('_connection-3')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId3'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId3')]", + "contentId": "[variables('_playbookContentId3')]", + "kind": "Playbook", + "version": "[variables('playbookVersion3')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-Playbook-Alert-Importer", + "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace.", + "prerequisites": [ + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2023-07-06T00:00:00Z", + "tags": [ + "Alert" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-Playbook-Alert-Importer", + "notes": [ + "Initial version" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId3')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-Playbook-Alert-Importer", + "contentProductId": "[variables('_playbookcontentProductId3')]", + "id": "[variables('_playbookcontentProductId3')]", + "version": "[variables('playbookVersion3')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName4')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-AlertImporter Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion4')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-AlertImporter", + "type": "string" + }, + "create_incident": { + "type": "string", + "metadata": { + "description": "Create Microsoft Sentinel incidents (possible values true/false)" + } + }, + "workspace_name": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Microsoft Sentinel Workspace name" + } + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + "AzuremonitorlogsConnectionName": "[[concat('Azuremonitorlogs-', parameters('PlaybookName'))]", + "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]", + "Recordedfuturev2ConnectionName": "[[concat('Recordedfuturev2-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azureloganalyticsdatacollector')]", + "_connection-2": "[[variables('connection-2')]", + "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuremonitorlogs')]", + "_connection-3": "[[variables('connection-3')]", + "connection-4": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", + "_connection-4": "[[variables('connection-4')]", + "connection-5": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", + "_connection-5": "[[variables('connection-5')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + }, + "create_incident": { + "type": "string", + "defaultValue": "[[parameters('create_incident')]" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each_triggered_alert": { + "foreach": "@body('Search_Triggered_Alerts')?['data']", + "actions": { + "Create_incident_if_parameter_is_set": { + "actions": { + "Add_comment_to_incident_(V3)": { + "runAfter": { + "Parse_JSON_2": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "incidentArmId": "@body('Create_incident')?['id']", + "message": "@{items('For_each_triggered_alert')?['title']}
\nAlert ID: @{items('For_each_triggered_alert')?['id']}
\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}
\n[Open Recorded Future portal](@{items('For_each_triggered_alert')?['url']?['portal']})
\nAI Summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}
\nNo Recorded Future data on @{body('Parse_JSON_-_Ip')?['address']}
\nRequest Data Collection In The Recorded Future Portal
\nEnriched IP: @{body('Parse_JSON_-_Ip')?['address']}
\nRisk Score: @{body('IP_Enrichment')?['data']?['risk']?['score']} of 99
\n@{concat('Open Intelligence Card (Portal)
')}
\nInfrastructure Detections: @{body('IP_Observed_ioc_HTML_table')}
\nRisk Rules: @{body('IP_Evidence_Details_HTML_table')}
\nTechnical Links: @{body('IP_Technical_Links_HTML_table')}
\nResearch Links: @{body('IP_Research_Links_HTML_table')}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" - } - }, - "method": "post", - "path": "/Incidents/Comment" - }, - "runAfter": { - "IP_Observed_ioc_HTML_table": [ - "Succeeded" - ] - }, - "type": "ApiConnection" + "Name": { + "type": "string" }, - "IP_Enrichment": { - "inputs": { - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuture']['connectionId']" - } - }, - "method": "get", - "path": "/lookup/ip/@{encodeURIComponent(body('Parse_JSON_-_Ip')?['address'])}", - "queries": { - "IntelligenceCloud": "@parameters('IntelligenceCloud')", - "RFIncidentId": "@variables('RFIncidentId')", - "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", - "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", - "fields": "intelCard,risk,links" + "Risk": { + "type": "integer" + }, + "riskString": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "RecordedFuture-ImportToSentinel": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": { + "confidence": "@int(body('Parse_JSON')?['Risk'])", + "created": "@{utcNow()}", + "description": "Recorded Future - HASH - Observed in Underground Virus Testing Sites", + "id": "indicator--@{guid()}", + "indicator_types": [ + "malicious-activity" + ], + "labels": [ + "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" + ], + "modified": "@{utcNow()}", + "name": "@{body('Parse_JSON')?['Name']}", + "pattern": "[[[file:hashes.'@{body('Parse_JSON')?['Algorithm']}' = '@{body('Parse_JSON')?['Name']}']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "@{utcNow()}", + "valid_until": "@{addHours(utcNow(),24)}" + }, + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Recorded_Future_RiskLists_and_SCF_Download": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/MicrosoftAzure/hash_observed_testing.json" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "recordedfuture": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionName": "[[variables('RecordedfutureConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-Hash-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedfutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedfutureConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId7')]", + "contentId": "[variables('_playbookContentId7')]", + "kind": "Playbook", + "version": "[variables('playbookVersion7')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-Hash-IndicatorImport", + "description": "This playbook imports Hash risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", + "prerequisites": [ + "First install the RecordedFuture-ThreatIntelligenceImport playbook.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2023-07-06T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-Hash-IndicatorImport", + "notes": [ + "Initial version" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId7')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-Hash-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId7')]", + "id": "[variables('_playbookcontentProductId7')]", + "version": "[variables('playbookVersion7')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName8')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-IP-IndicatorImport Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion8')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-IP-IndicatorImport", + "type": "string" + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String" + } + }, + "variables": { + "RecordedfutureConnectionName": "[[concat('Recordedfuture-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", + "actions": { + "Parse_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "Criticality" + ], + "type": "object" + }, + "type": "array" } }, - "runAfter": { - "Parse_JSON_-_Ip": [ - "Succeeded" - ] - }, - "type": "ApiConnection" + "type": "object" }, - "IP_Evidence_Details_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Risk_Rules", - "value": "@item()?['rule']" - }, - { - "header": "Severity", - "value": "@item()?['criticalityLabel']" - }, - { - "header": "Evidence_Details", - "value": "@item()?['evidenceString']" - } - ], - "format": "HTML", - "from": "@body('IP_Enrichment')?['data']?['risk']?['evidenceDetails']" - }, - "runAfter": { - "IP_Enrichment": [ - "Succeeded" - ] - }, - "type": "Table" + "Name": { + "type": "string" }, - "IP_Research_Links_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Entity", - "value": "@replace(item()?['name'],'.','[.]')" - }, - { - "header": "Entity_Type", - "value": "@item()?['type']" - }, - { - "header": "Category", - "value": "@item()?['category']" + "Risk": { + "type": "integer" + }, + "riskString": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "RecordedFuture-ThreatIntelligenceImport": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": { + "confidence": "@int(body('Parse_JSON')?['Risk'])", + "created": "@{utcNow()}", + "description": "Recorded Future - IP - Actively Communicating C&C Server", + "id": "indicator--@{guid()}", + "indicator_types": [ + "malicious-activity" + ], + "labels": [ + "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" + ], + "modified": "@{utcNow()}", + "name": "@{body('Parse_JSON')?['Name']}", + "pattern": "[[[ipv4-addr:value = '@{body('Parse_JSON')?['Name']}']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "@{utcNow()}", + "valid_until": "@{addHours(utcNow(),1)}" + }, + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Recorded_Future_RiskLists_and_SCF_Download": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/MicrosoftAzure/ip_active_c2.json" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "recordedfuture": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionName": "[[variables('RecordedfutureConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-IP-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedfutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedfutureConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId8')]", + "contentId": "[variables('_playbookContentId8')]", + "kind": "Playbook", + "version": "[variables('playbookVersion8')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-IP-IndicatorImport", + "description": "This playbook imports IP risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", + "prerequisites": [ + "First install the RecordedFuture-ThreatIntelligenceImport playbook.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2023-07-06T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-IP-IndicatorImport", + "notes": [ + "Initial version" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId8')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-IP-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId8')]", + "id": "[variables('_playbookcontentProductId8')]", + "version": "[variables('playbookVersion8')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName9')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-URL-IndicatorImport Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion9')]", + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-URL-IndicatorImport", + "type": "string" + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String" + } + }, + "variables": { + "RecordedfutureConnectionName": "[[concat('Recordedfuture-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 2 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", + "actions": { + "Parse_JSON": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "Criticality" + ], + "type": "object" }, - { - "header": "Risk_Score", - "value": "@item()?['score']" - } - ], - "format": "HTML", - "from": "@if(empty(body('IP_Enrichment')?['data']?['links']?['research']),variables('EmptyArray'),body('IP_Enrichment')?['data']?['links']?['research']?['entities'])" - }, - "runAfter": { - "IP_Technical_Links_HTML_table": [ - "Succeeded" - ] + "type": "array" + } }, - "type": "Table" + "type": "object" }, - "IP_Technical_Links_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Entity", - "value": "@replace(item()?['name'],'.','[.]')" - }, - { - "header": "Entity_Type", - "value": "@item()?['type']" - }, - { - "header": "Category", - "value": "@item()?['category']" - }, - { - "header": "Risk_Score", - "value": "@item()?['score']" - } - ], - "format": "HTML", - "from": "@if(empty(body('IP_Enrichment')?['data']?['links']?['technical']),variables('EmptyArray'),body('IP_Enrichment')?['data']?['links']?['technical']?['entities'])" - }, - "runAfter": { - "IP_Evidence_Details_HTML_table": [ - "Succeeded" - ] - }, - "type": "Table" + "Name": { + "type": "string" }, - "IP_Observed_ioc_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Timestamp", - "value": "@item()?['timestamp']" - }, - { - "header": "Integration_Type", - "value": "@item()?['integration_type']" - }, - { - "header": "Instance_Id", - "value": "@item()?['integration_instance_id']" - } - ], - "format": "HTML", - "from": "@if(empty(body('IP_Enrichment')?['observed_iocs_history']),variables('EmptyArray'),body('IP_Enrichment')?['observed_iocs_history'])" - }, - "runAfter": { - "IP_Research_Links_HTML_table": [ - "Succeeded" - ] - }, - "type": "Table" + "Risk": { + "type": "integer" }, - "Parse_JSON_-_Ip": { - "inputs": { - "content": "@body('Parse_JSON_2')?['properties']", - "schema": { - "properties": { - "address": { - "type": "string" - }, - "friendlyName": { - "type": "string" - } - }, - "type": "object" - } - }, - "type": "ParseJson" + "riskString": { + "type": "string" } }, - "case": "Ip" + "type": "object" } - }, - "expression": "@body('Parse_JSON_2')?['kind']", + } + }, + "RecordedFuture-ImportToSentinel": { "runAfter": { - "Parse_JSON_2": [ + "Parse_JSON": [ "Succeeded" ] }, - "type": "Switch" + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": { + "confidence": "@int(body('Parse_JSON')?['Risk'])", + "created": "@{utcNow()}", + "description": "Recorded Future - URL - Recently Reported by Insikt Group", + "id": "indicator--@{guid()}", + "indicator_types": [ + "malicious-activity" + ], + "labels": [ + "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" + ], + "modified": "@{utcNow()}", + "name": "@{body('Parse_JSON')?['Name']}", + "pattern": "[[[url:value = '@{body('Parse_JSON')?['Name']}']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "@{utcNow()}", + "valid_until": "@{addHours(utcNow(),2)}" + }, + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" + } + } + } } }, - "foreach": "@triggerBody()?['object']?['properties']?['relatedEntities']", "runAfter": { - "RFIncidentId": [ + "Recorded_Future_RiskLists_and_SCF_Download": [ "Succeeded" ] }, "type": "Foreach" }, - "Initialize_variable": { + "Recorded_Future_RiskLists_and_SCF_Download": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/MicrosoftAzure/url_insikt.json" + } + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "recordedfuture": { + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionName": "[[variables('RecordedfutureConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" + } + } + } + } + }, + "name": "[[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[[variables('workspace-location-inline')]", + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-URL-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedfutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedfutureConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId9'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId9')]", + "contentId": "[variables('_playbookContentId9')]", + "kind": "Playbook", + "version": "[variables('playbookVersion9')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-URL-IndicatorImport", + "description": "This playbook imports URL risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", + "prerequisites": [ + "First install the RecordedFuture-ThreatIntelligenceImport playbook.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2023-07-06T00:00:00Z", + "tags": [ + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-URL-IndicatorImport", + "notes": [ + "Initial version" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId9')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-URL-IndicatorImport", + "contentProductId": "[variables('_playbookcontentProductId9')]", + "id": "[variables('_playbookcontentProductId9')]", + "version": "[variables('playbookVersion9')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('playbookTemplateSpecName10')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuture-ImportToSentinel Playbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('playbookVersion10')]", + "parameters": { + "PlaybookName": { + "type": "string", + "defaultValue": "RecordedFuture-ImportToSentinel" + } + }, + "variables": { + "GraphSecurityConnectionName": "[[concat('microsoftgraphsecurity-', parameters('PlaybookName'))]", + "connection-2": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/microsoftgraphsecurity')]", + "_connection-2": "[[variables('connection-2')]", + "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]", + "workspace-name": "[parameters('workspace')]", + "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[[parameters('PlaybookName')]", + "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-ImportToSentinel", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('GraphSecurityConnectionName'))]" + ], + "properties": { + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "actions": { + "Select": { "inputs": { - "variables": [ - { - "name": "EmptyArray", - "type": "array" - } - ] + "from": "@triggerBody()['items']", + "select": "@item()['content']" }, - "type": "InitializeVariable" + "type": "Select" }, - "RFIncidentId": { + "Submit_multiple_tiIndicators": { "inputs": { - "variables": [ - { - "name": "RFIncidentId", - "type": "string", - "value": "@{guid()}" + "body": { + "value": "@body('Select')" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['microsoftgraphsecurity']['connectionId']" } - ] + }, + "method": "post", + "path": "/beta/security/tiIndicators/submitTiIndicators" }, "runAfter": { - "Initialize_variable": [ + "Select": [ "Succeeded" ] }, - "type": "InitializeVariable" + "type": "ApiConnection" } }, "contentVersion": "1.0.0.0", "parameters": { - "IntelligenceCloud": { - "defaultValue": true, - "type": "Bool" - }, "$connections": { "type": "Object" } }, "triggers": { - "When_Azure_Sentinel_incident_creation_rule_was_triggered": { + "Batch_messages": { "inputs": { - "body": { - "callback_url": "@{listCallbackUrl()}" - }, - "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "configurations": { + "RFImportToSentinel": { + "releaseCriteria": { + "messageCount": 100, + "recurrence": { + "frequency": "Minute", + "interval": 10 + } + } } }, - "path": "/incident-creation" + "mode": "Inline" }, - "type": "ApiConnectionWebhook" + "type": "Batch" } } }, "parameters": { "$connections": { "value": { - "azuresentinel": { - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/azuresentinel')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]", - "connectionName": "[[variables('AzureSentinelConnectionName')]" - }, - "recordedfuture": { - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]", - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]", - "connectionName": "[[variables('RecordedFutureConnectionName')]" + "microsoftgraphsecurity": { + "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/microsoftgraphsecurity')]", + "connectionId": "[[resourceId('Microsoft.Web/connections', variables('GraphSecurityConnectionName'))]", + "connectionName": "[[variables('GraphSecurityConnectionName')]" } } } } - }, - "tags": { - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" } }, { "type": "Microsoft.Web/connections", "apiVersion": "2016-06-01", - "name": "[[variables('RecordedFutureConnectionName')]", "location": "[[variables('workspace-location-inline')]", + "name": "[[variables('GraphSecurityConnectionName')]", "properties": { "api": { "id": "[[variables('_connection-2')]" } } }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('AzureSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "properties": { - "api": { - "id": "[[variables('_connection-3')]" - } - } - }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId4'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId10'),'/'))))]", "properties": { - "parentId": "[variables('playbookId4')]", - "contentId": "[variables('_playbookContentId4')]", + "parentId": "[variables('playbookId10')]", + "contentId": "[variables('_playbookContentId10')]", "kind": "Playbook", - "version": "[variables('playbookVersion4')]", + "version": "[variables('playbookVersion10')]", "source": { "kind": "Solution", "name": "Recorded Future", @@ -2718,99 +4390,67 @@ } ], "metadata": { - "title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash", - "description": "This playbook leverages the Recorded Future API to enrich IP, Domain, Url & Hash indicators, found in Sentinel incidents, with the following context: Risk Score, Risk Rules and Link to Intelligence Card. The enrichment content will be posted as a comment in the Sentinel incident
.",
- "prerequisites": [
- "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials"
- ],
+ "title": "RecordedFuture-ImportToSentinel",
+ "description": "**[Deprecated]**\nDeprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution.\n\nThis playbook is purposed to listen (via batching mechanism provided by Microsoft Azure) for incoming messages from the IndicatorProcessor Playbooks and create submit the indicators for creation",
"postDeployment": [
- "After deployment open the playbook in edit mode and configure/authorize all connections and press save."
+ "After deployment you have to open the playbook to configure all connections and press save."
],
- "lastUpdateTime": "2023-03-08T00:00:00Z",
- "entities": [
- "ip",
- "url",
- "dnsresolution",
- "filehash"
+ "prerequisites": [
+ "None"
],
+ "lastUpdateTime": "2023-08-09T00:00:00Z",
"tags": [
- "Enrichment"
+ "Deprecated",
+ "Threat Intelligence"
],
"releaseNotes": [
{
- "version": "2.3.1",
- "title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
- "notes": [
- "Handle 404 result from enrichment."
- ]
- },
- {
- "version": "2.3.0",
- "title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
- "notes": [
- "Added detections, updated readme and improved layout."
- ]
- },
- {
- "version": "1.1.1",
- "title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
- "notes": [
- "Fixed riskrule severity and correct image url."
- ]
- },
- {
- "version": "1.1.0",
- "title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
+ "version": "1.1",
+ "title": "Deprecated",
"notes": [
- "Improved layout and added consent for intelligence Recorded Future cloud sharing."
+ "Deprecated in favor for the new IndicatorImport playbooks. More information can be found in the readme on Github https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded%20Future/Playbooks/readme.md",
+ "Once a new IndicatorImport playbook is installed downloading the same risk list. Deactivate or delete this playbook."
]
},
{
- "version": "1.0.0",
- "title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
+ "version": "1.0",
+ "title": "RecordedFuture-ImportToSentinel",
"notes": [
"Initial version"
]
}
]
}
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('playbookTemplateSpecName5')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor playbook",
- "displayName": "RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor playbook"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId10')]",
+ "contentKind": "Playbook",
+ "displayName": "RecordedFuture-ImportToSentinel",
+ "contentProductId": "[variables('_playbookcontentProductId10')]",
+ "id": "[variables('_playbookcontentProductId10')]",
+ "version": "[variables('playbookVersion10')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('playbookTemplateSpecName5'),'/',variables('playbookVersion5'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName11')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName5'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor Playbook with template version 2.4.0",
+ "description": "RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion5')]",
+ "contentVersion": "[variables('playbookVersion11')]",
"parameters": {
"PlaybookName": {
- "defaultValue": "RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor",
+ "defaultValue": "RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor",
"type": "String"
},
"PlaybookNameBatching": {
@@ -2832,6 +4472,11 @@
"apiVersion": "2019-05-01",
"name": "[[parameters('PlaybookName')]",
"location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "hidden-SentinelTemplateName": "RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor",
+ "hidden-SentinelTemplateVersion": "1.1",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]"
],
@@ -2904,10 +4549,10 @@
"additionalInformation": "@{body('Parse_JSON')?['EvidenceDetails']}",
"azureTenantId": "[[subscription().tenantId]",
"confidence": "@int(body('Parse_JSON')?['Risk'])",
- "description": "Recorded Future - IP - Actively Communicating C&C Server",
- "expirationDateTime": "@{addHours(utcNow(),1)}",
+ "description": "Recorded Future - DOMAIN - C2 DNS Name",
+ "domainName": "@{body('Parse_JSON')?['Name']}",
+ "expirationDateTime": "@{addHours(utcNow(),2)}",
"ingestedDateTime": "@{utcNow()}",
- "networkIPv4": "@{body('Parse_JSON')?['Name']}",
"targetProduct": "Azure Sentinel",
"threatType": "C2",
"tlpLevel": "amber"
@@ -2945,7 +4590,7 @@
"method": "get",
"path": "/fusion/files",
"queries": {
- "path": "/public/MicrosoftAzure/ip_active_c2.json"
+ "path": "/public/MicrosoftAzure/domain_c2_dns.json"
}
},
"type": "ApiConnection"
@@ -2961,7 +4606,7 @@
"Recurrence": {
"recurrence": {
"frequency": "Hour",
- "interval": 1
+ "interval": 2
},
"type": "Recurrence"
}
@@ -2978,9 +4623,6 @@
}
}
}
- },
- "tags": {
- "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
}
},
{
@@ -2997,12 +4639,12 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId5'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId11'),'/'))))]",
"properties": {
- "parentId": "[variables('playbookId5')]",
- "contentId": "[variables('_playbookContentId5')]",
+ "parentId": "[variables('playbookId11')]",
+ "contentId": "[variables('_playbookContentId11')]",
"kind": "Playbook",
- "version": "[variables('playbookVersion5')]",
+ "version": "[variables('playbookVersion11')]",
"source": {
"kind": "Solution",
"name": "Recorded Future",
@@ -3022,8 +4664,8 @@
}
],
"metadata": {
- "title": "RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor",
- "description": "This playbook leverages the Recorded Future API and automatically imports the Actively Communicating C&C Server IP RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.",
+ "title": "RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor",
+ "description": "**[Deprecated]**\nDeprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution.\n\nThis playbook leverages the Recorded Future API and automatically imports the C&C DNS Name Domain RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.",
"prerequisites": [
"First install the RecordedFuture-ImportToSentinel playbook.",
"To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials"
@@ -3031,57 +4673,59 @@
"postDeployment": [
"After deployment you have to open the playbook to configure all connections and press save."
],
- "lastUpdateTime": "2022-08-01T00:00:00Z",
+ "lastUpdateTime": "2023-08-07T00:00:00Z",
"tags": [
+ "Deprecated",
"Threat Intelligence"
],
"releaseNotes": [
{
- "version": "1.0.0",
- "title": "RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor",
+ "version": "1.0",
+ "title": "RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor",
"notes": [
"Initial version"
]
+ },
+ {
+ "version": "1.1",
+ "title": "Deprecated",
+ "notes": [
+ "Deprecated in favor for the new IndicatorImport playbooks. More information can be found in the readme on Github https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded%20Future/Playbooks/readme.md",
+ "Once a new IndicatorImport playbook is installed downloading the same risk list. Deactivate or delete this playbook."
+ ]
}
]
}
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('playbookTemplateSpecName6')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor playbook",
- "displayName": "RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor playbook"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId11')]",
+ "contentKind": "Playbook",
+ "displayName": "RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor",
+ "contentProductId": "[variables('_playbookcontentProductId11')]",
+ "id": "[variables('_playbookcontentProductId11')]",
+ "version": "[variables('playbookVersion11')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('playbookTemplateSpecName6'),'/',variables('playbookVersion6'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName12')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName6'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor Playbook with template version 2.4.0",
+ "description": "RecordedFuture-HASH-Obs_in_Underground-TIProcessor Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion6')]",
+ "contentVersion": "[variables('playbookVersion12')]",
"parameters": {
"PlaybookName": {
- "defaultValue": "RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor",
+ "defaultValue": "RecordedFuture-HASH-Obs_in_Underground-TIProcessor",
"type": "String"
},
"PlaybookNameBatching": {
@@ -3103,6 +4747,11 @@
"apiVersion": "2019-05-01",
"name": "[[parameters('PlaybookName')]",
"location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "hidden-SentinelTemplateName": "RecordedFuture-HASH-Obs_in_Underground-TIProcessor",
+ "hidden-SentinelTemplateVersion": "1.1",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
"dependsOn": [
"[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]"
],
@@ -3175,13 +4824,14 @@
"additionalInformation": "@{body('Parse_JSON')?['EvidenceDetails']}",
"azureTenantId": "[[subscription().tenantId]",
"confidence": "@int(body('Parse_JSON')?['Risk'])",
- "description": "Recorded Future - URL - Recently Reported by Insikt Group",
- "expirationDateTime": "@{addHours(utcNow(),2)}",
+ "description": "Recorded Future - HASH - Observed in Underground Virus Testing Sites",
+ "expirationDateTime": "@{addDays(utcNow(),1)}",
+ "fileHashType": "unknown",
+ "fileHashValue": "@{body('Parse_JSON')?['Name']}",
"ingestedDateTime": "@{utcNow()}",
"targetProduct": "Azure Sentinel",
- "threatType": "MaliciousUrl",
- "tlpLevel": "amber",
- "url": "@{body('Parse_JSON')?['Name']}"
+ "threatType": "Malware",
+ "tlpLevel": "amber"
},
"host": {
"triggerName": "Batch_messages",
@@ -3216,7 +4866,7 @@
"method": "get",
"path": "/fusion/files",
"queries": {
- "path": "/public/MicrosoftAzure/url_insikt.json"
+ "path": "/public/MicrosoftAzure/hash_observed_testing.json"
}
},
"type": "ApiConnection"
@@ -3231,8 +4881,8 @@
"triggers": {
"Recurrence": {
"recurrence": {
- "frequency": "Hour",
- "interval": 2
+ "frequency": "Day",
+ "interval": 1
},
"type": "Recurrence"
}
@@ -3249,9 +4899,6 @@
}
}
}
- },
- "tags": {
- "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
}
},
{
@@ -3268,12 +4915,12 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId6'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId12'),'/'))))]",
"properties": {
- "parentId": "[variables('playbookId6')]",
- "contentId": "[variables('_playbookContentId6')]",
+ "parentId": "[variables('playbookId12')]",
+ "contentId": "[variables('_playbookContentId12')]",
"kind": "Playbook",
- "version": "[variables('playbookVersion6')]",
+ "version": "[variables('playbookVersion12')]",
"source": {
"kind": "Solution",
"name": "Recorded Future",
@@ -3293,8 +4940,8 @@
}
],
"metadata": {
- "title": "RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor",
- "description": "This playbook leverages the Recorded Future API and automatically imports the Recently Reported by Insikt Group URL RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.",
+ "title": "RecordedFuture-HASH-Obs_in_Underground-TIProcessor",
+ "description": "**[Deprecated]**\nDeprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution.\n\nThis playbook leverages the Recorded Future API and automatically imports the Observed in Underground Virus Testing Sites Hash RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.",
"prerequisites": [
"First install the RecordedFuture-ImportToSentinel playbook.",
"To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials"
@@ -3302,67 +4949,69 @@
"postDeployment": [
"After deployment you have to open the playbook to configure all connections and press save."
],
- "lastUpdateTime": "2022-08-01T00:00:00Z",
+ "lastUpdateTime": "2023-08-09T00:00:00Z",
"tags": [
+ "Deprecated",
"Threat Intelligence"
],
"releaseNotes": [
{
- "version": "1.0.0",
- "title": "RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor",
+ "version": "1.1",
+ "title": "Deprecated",
+ "notes": [
+ "Deprecated in favor for the new IndicatorImport playbooks. More information can be found in the readme on Github https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded%20Future/Playbooks/readme.md",
+ "Once a new IndicatorImport playbook is installed downloading the same risk list. Deactivate or delete this playbook."
+ ]
+ },
+ {
+ "version": "1.0",
+ "title": "RecordedFuture-HASH-Obs_in_Underground-TIProcessor",
"notes": [
"Initial version"
]
}
]
}
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('playbookTemplateSpecName7')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RecordedFuture-Ukraine-IndicatorProcessor playbook",
- "displayName": "RecordedFuture-Ukraine-IndicatorProcessor playbook"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId12')]",
+ "contentKind": "Playbook",
+ "displayName": "RecordedFuture-HASH-Obs_in_Underground-TIProcessor",
+ "contentProductId": "[variables('_playbookcontentProductId12')]",
+ "id": "[variables('_playbookcontentProductId12')]",
+ "version": "[variables('playbookVersion12')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('playbookTemplateSpecName7'),'/',variables('playbookVersion7'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName13')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName7'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RecordedFuture-Ukraine-IndicatorProcessor Playbook with template version 2.4.0",
+ "description": "RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion7')]",
+ "contentVersion": "[variables('playbookVersion13')]",
"parameters": {
"PlaybookName": {
- "defaultValue": "RecordedFuture-Ukraine-IndicatorProcessor",
- "type": "string"
+ "defaultValue": "RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor",
+ "type": "String"
},
"PlaybookNameBatching": {
"defaultValue": "RecordedFuture-ImportToSentinel",
- "type": "string"
+ "type": "String"
}
},
"variables": {
- "RecordedfutureConnectionName": "recordedfuture-connectorv2",
- "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]",
+ "RecordedFutureConnectionName": "recordedfuture-connectorv2",
+ "connection-2": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]",
"_connection-2": "[[variables('connection-2')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
@@ -3370,36 +5019,25 @@
},
"resources": [
{
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2019-05-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "hidden-SentinelTemplateName": "RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor",
+ "hidden-SentinelTemplateVersion": "1.1",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]"
+ ],
"properties": {
- "provisioningState": "Succeeded",
- "state": "Enabled",
"definition": {
"$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "$connections": {
- "type": "Object"
- }
- },
- "triggers": {
- "Recurrence": {
- "recurrence": {
- "frequency": "Day",
- "interval": 1
- },
- "evaluatedRecurrence": {
- "frequency": "Day",
- "interval": 1
- },
- "type": "Recurrence"
- }
- },
"actions": {
"For_each": {
- "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')",
"actions": {
"Parse_JSON": {
- "type": "ParseJson",
"inputs": {
"content": "@items('For_each')",
"schema": {
@@ -3451,15 +5089,10 @@
},
"type": "object"
}
- }
- },
- "RecordedFuture_Ukraine_Detection_ImportToSentinel": {
- "runAfter": {
- "Parse_JSON": [
- "Succeeded"
- ]
},
- "type": "SendToBatch",
+ "type": "ParseJson"
+ },
+ "RecordedFuture-ImportToSentinel": {
"inputs": {
"batchName": "RFImportToSentinel",
"content": {
@@ -3467,14 +5100,13 @@
"additionalInformation": "@{body('Parse_JSON')?['EvidenceDetails']}",
"azureTenantId": "[[subscription().tenantId]",
"confidence": "@int(body('Parse_JSON')?['Risk'])",
- "description": "Recorded Future - Ukraine IP Detection",
- "expirationDateTime": "@{addDays(utcNow(),1)}",
+ "description": "Recorded Future - IP - Actively Communicating C&C Server",
+ "expirationDateTime": "@{addHours(utcNow(),1)}",
"ingestedDateTime": "@{utcNow()}",
- "isActive": true,
"networkIPv4": "@{body('Parse_JSON')?['Name']}",
"targetProduct": "Azure Sentinel",
- "threatType": "WatchList",
- "tlpLevel": "Amber"
+ "threatType": "C2",
+ "tlpLevel": "amber"
},
"host": {
"triggerName": "Batch_messages",
@@ -3482,9 +5114,16 @@
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]"
}
}
- }
+ },
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "SendToBatch"
}
},
+ "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')",
"runAfter": {
"Recorded_Future_RiskLists_and_SCF_Download": [
"Succeeded"
@@ -3492,110 +5131,190 @@
},
"type": "Foreach"
},
- "For_each_2": {
- "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download_2')",
- "actions": {
- "Parse_JSON_2": {
- "type": "ParseJson",
- "inputs": {
- "content": "@items('For_each_2')",
- "schema": {
- "properties": {
- "EvidenceDetails": {
- "properties": {
- "EvidenceDetails": {
- "items": {
- "properties": {
- "Criticality": {
- "type": "integer"
- },
- "CriticalityLabel": {
- "type": "string"
- },
- "EvidenceString": {
- "type": "string"
- },
- "Rule": {
- "type": "string"
- },
- "Timestamp": {
- "type": "integer"
- }
- },
- "required": [
- "Rule",
- "EvidenceString",
- "CriticalityLabel",
- "Timestamp",
- "Criticality"
- ],
- "type": "object"
- },
- "type": "array"
- }
- },
- "type": "object"
- },
- "Name": {
- "type": "string"
- },
- "Risk": {
- "type": "integer"
- },
- "riskString": {
- "type": "string"
- }
- },
- "type": "object"
- }
+ "Recorded_Future_RiskLists_and_SCF_Download": {
+ "inputs": {
+ "host": {
+ "connection": {
+ "name": "@parameters('$connections')['recordedfuture']['connectionId']"
}
},
- "RecordedFuture_Ukraine_Detection_ImportToSentinel_2": {
- "runAfter": {
- "Parse_JSON_2": [
- "Succeeded"
- ]
- },
- "type": "SendToBatch",
- "inputs": {
- "batchName": "RFImportToSentinel",
- "content": {
- "action": "alert",
- "additionalInformation": "@{body('Parse_JSON_2')?['EvidenceDetails']}",
- "azureTenantId": "[[subscription().tenantId]",
- "confidence": "@int(body('Parse_JSON_2')?['Risk'])",
- "description": "Recorded Future - Ukraine Domain Detection",
- "domainName": "@{body('Parse_JSON_2')?['Name']}",
- "expirationDateTime": "@{addHours(utcNow(),2)}",
- "ingestedDateTime": "@{utcNow()}",
- "isActive": true,
- "targetProduct": "Microsoft Sentinel",
- "threatType": "WatchList",
- "tlpLevel": "Amber"
- },
- "host": {
- "triggerName": "Batch_messages",
- "workflow": {
- "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]"
- }
- }
- }
+ "method": "get",
+ "path": "/fusion/files",
+ "queries": {
+ "path": "/public/MicrosoftAzure/ip_active_c2.json"
}
},
- "runAfter": {
- "Recorded_Future_RiskLists_and_SCF_Download_2": [
- "Succeeded"
- ]
+ "type": "ApiConnection"
+ }
+ },
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "recurrence": {
+ "frequency": "Hour",
+ "interval": 1
},
- "type": "Foreach"
- },
- "For_each_3": {
- "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download_3')",
+ "type": "Recurrence"
+ }
+ }
+ },
+ "parameters": {
+ "$connections": {
+ "value": {
+ "recordedfuture": {
+ "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]",
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]",
+ "connectionName": "[[variables('RecordedFutureConnectionName')]"
+ }
+ }
+ }
+ }
+ }
+ },
+ {
+ "type": "Microsoft.Web/connections",
+ "apiVersion": "2016-06-01",
+ "name": "[[variables('RecordedFutureConnectionName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "properties": {
+ "api": {
+ "id": "[[variables('_connection-2')]"
+ }
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId13'),'/'))))]",
+ "properties": {
+ "parentId": "[variables('playbookId13')]",
+ "contentId": "[variables('_playbookContentId13')]",
+ "kind": "Playbook",
+ "version": "[variables('playbookVersion13')]",
+ "source": {
+ "kind": "Solution",
+ "name": "Recorded Future",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Recorded Future Premier Integrations",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Recorded Future Support Team",
+ "email": "support@recordedfuture.com",
+ "tier": "Partner",
+ "link": "http://support.recordedfuture.com/"
+ }
+ }
+ }
+ ],
+ "metadata": {
+ "title": "RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor",
+ "description": "**[Deprecated]**\nDeprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution.\n\nThis playbook leverages the Recorded Future API and automatically imports the Actively Communicating C&C Server IP RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.",
+ "prerequisites": [
+ "First install the RecordedFuture-ImportToSentinel playbook.",
+ "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials"
+ ],
+ "postDeployment": [
+ "After deployment you have to open the playbook to configure all connections and press save."
+ ],
+ "lastUpdateTime": "2023-08-09T00:00:00Z",
+ "tags": [
+ "Deprecated",
+ "Threat Intelligence"
+ ],
+ "releaseNotes": [
+ {
+ "version": "1.1",
+ "title": "Deprecated",
+ "notes": [
+ "Deprecated in favor for the new IndicatorImport playbooks. More information can be found in the readme on Github https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded%20Future/Playbooks/readme.md",
+ "Once a new IndicatorImport playbook is installed downloading the same risk list. Deactivate or delete this playbook."
+ ]
+ },
+ {
+ "version": "1.0",
+ "title": "RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ ]
+ }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId13')]",
+ "contentKind": "Playbook",
+ "displayName": "RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor",
+ "contentProductId": "[variables('_playbookcontentProductId13')]",
+ "id": "[variables('_playbookcontentProductId13')]",
+ "version": "[variables('playbookVersion13')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName14')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor Playbook with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('playbookVersion14')]",
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor",
+ "type": "String"
+ },
+ "PlaybookNameBatching": {
+ "defaultValue": "RecordedFuture-ImportToSentinel",
+ "type": "String"
+ }
+ },
+ "variables": {
+ "RecordedFutureConnectionName": "recordedfuture-connectorv2",
+ "connection-2": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]",
+ "_connection-2": "[[variables('connection-2')]",
+ "workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
+ "workspace-name": "[parameters('workspace')]",
+ "workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
+ },
+ "resources": [
+ {
+ "type": "Microsoft.Logic/workflows",
+ "apiVersion": "2019-05-01",
+ "name": "[[parameters('PlaybookName')]",
+ "location": "[[variables('workspace-location-inline')]",
+ "tags": {
+ "hidden-SentinelTemplateName": "RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor",
+ "hidden-SentinelTemplateVersion": "1.1",
+ "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
+ },
+ "dependsOn": [
+ "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]"
+ ],
+ "properties": {
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "actions": {
+ "For_each": {
"actions": {
- "Parse_JSON_3": {
- "type": "ParseJson",
+ "Parse_JSON": {
"inputs": {
- "content": "@items('For_each_3')",
+ "content": "@items('For_each')",
"schema": {
"properties": {
"EvidenceDetails": {
@@ -3603,257 +5322,66 @@
"EvidenceDetails": {
"items": {
"properties": {
- "Criticality": {
- "type": "integer"
- },
- "CriticalityLabel": {
- "type": "string"
- },
- "EvidenceString": {
- "type": "string"
- },
- "Rule": {
- "type": "string"
- },
- "Timestamp": {
- "type": "integer"
- }
- },
- "required": [
- "Rule",
- "EvidenceString",
- "CriticalityLabel",
- "Timestamp",
- "Criticality"
- ],
- "type": "object"
- },
- "type": "array"
- }
- },
- "type": "object"
- },
- "Name": {
- "type": "string"
- },
- "Risk": {
- "type": "integer"
- },
- "riskString": {
- "type": "string"
- }
- },
- "type": "object"
- }
- }
- },
- "RecordedFuture_Ukraine_Detection_ImportToSentinel_3": {
- "runAfter": {
- "Parse_JSON_3": [
- "Succeeded"
- ]
- },
- "type": "SendToBatch",
- "inputs": {
- "batchName": "RFImportToSentinel",
- "content": {
- "action": "alert",
- "additionalInformation": "@{body('Parse_JSON_3')?['EvidenceDetails']}",
- "azureTenantId": "[[subscription().tenantId]",
- "confidence": "@int(body('Parse_JSON_3')?['Risk'])",
- "description": "Recorded Future - Ukraine Url Detection",
- "expirationDateTime": "@{addHours(utcNow(),2)}",
- "ingestedDateTime": "@{utcNow()}",
- "isActive": true,
- "targetProduct": "Microsoft Sentinel",
- "threatType": "MaliciousUrl",
- "tlpLevel": "Amber",
- "url": "@{body('Parse_JSON_3')?['Name']}"
- },
- "host": {
- "triggerName": "Batch_messages",
- "workflow": {
- "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]"
- }
- }
- }
- }
- },
- "runAfter": {
- "Recorded_Future_RiskLists_and_SCF_Download_3": [
- "Succeeded"
- ]
- },
- "type": "Foreach"
- },
- "For_each_4": {
- "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download_4')",
- "actions": {
- "Parse_JSON_4": {
- "type": "ParseJson",
- "inputs": {
- "content": "@items('For_each_4')",
- "schema": {
- "properties": {
- "body": {
- "items": {
- "properties": {
- "Algorithm": {
- "type": "string"
- },
- "EvidenceDetails": {
- "properties": {
- "EvidenceDetails": {
- "items": {
- "properties": {
- "Criticality": {
- "type": "integer"
- },
- "CriticalityLabel": {
- "type": "string"
- },
- "EvidenceString": {
- "type": "string"
- },
- "MitigationString": {
- "type": "string"
- },
- "Rule": {
- "type": "string"
- },
- "Timestamp": {
- "type": "integer"
- }
- },
- "required": [
- "Rule",
- "EvidenceString",
- "CriticalityLabel",
- "Timestamp",
- "MitigationString",
- "Criticality"
- ],
- "type": "object"
- },
- "type": "array"
- }
- },
- "type": "object"
- },
- "Name": {
- "type": "string"
- },
- "Risk": {
- "type": "integer"
- },
- "RiskString": {
- "type": "string"
- }
- },
- "required": [
- "Name",
- "Algorithm",
- "Risk",
- "RiskString",
- "EvidenceDetails"
- ],
- "type": "object"
- },
- "type": "array"
- },
- "headers": {
- "properties": {
- "CF-Cache-Status": {
- "type": "string"
- },
- "CF-RAY": {
- "type": "string"
- },
- "Cache-Control": {
- "type": "string"
- },
- "Content-Length": {
- "type": "string"
- },
- "Content-Type": {
- "type": "string"
- },
- "Date": {
- "type": "string"
- },
- "Expect-CT": {
- "type": "string"
- },
- "Timing-Allow-Origin": {
- "type": "string"
- },
- "Transfer-Encoding": {
- "type": "string"
- },
- "pragma": {
- "type": "string"
- },
- "referrer-policy": {
- "type": "string"
- },
- "strict-transport-security": {
- "type": "string"
- },
- "x-content-type-options": {
- "type": "string"
- },
- "x-frame-options": {
- "type": "string"
- },
- "x-ms-apihub-cached-response": {
- "type": "string"
- },
- "x-ms-apihub-obo": {
- "type": "string"
- },
- "x-rf-proxy-basepath": {
- "type": "string"
- },
- "x-rf-proxy-serviceid": {
- "type": "string"
- },
- "x-xss-protection": {
- "type": "string"
+ "Criticality": {
+ "type": "integer"
+ },
+ "CriticalityLabel": {
+ "type": "string"
+ },
+ "EvidenceString": {
+ "type": "string"
+ },
+ "Rule": {
+ "type": "string"
+ },
+ "Timestamp": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "Rule",
+ "EvidenceString",
+ "CriticalityLabel",
+ "Timestamp",
+ "Criticality"
+ ],
+ "type": "object"
+ },
+ "type": "array"
}
},
"type": "object"
},
- "statusCode": {
+ "Name": {
+ "type": "string"
+ },
+ "Risk": {
"type": "integer"
+ },
+ "riskString": {
+ "type": "string"
}
},
"type": "object"
}
- }
- },
- "RecordedFuture_Ukraine_Detection_ImportToSentinel_4": {
- "runAfter": {
- "Parse_JSON_4": [
- "Succeeded"
- ]
},
- "type": "SendToBatch",
+ "type": "ParseJson"
+ },
+ "RecordedFuture-ImportToSentinel": {
"inputs": {
"batchName": "RFImportToSentinel",
"content": {
"action": "alert",
- "additionalInformation": "@{body('Parse_JSON_4')?['EvidenceDetails']}",
+ "additionalInformation": "@{body('Parse_JSON')?['EvidenceDetails']}",
"azureTenantId": "[[subscription().tenantId]",
- "confidence": "@int(body('Parse_JSON_4')?['Risk'])",
- "description": "Recorded Future - Ukraine File Hash Detection",
+ "confidence": "@int(body('Parse_JSON')?['Risk'])",
+ "description": "Recorded Future - URL - Recently Reported by Insikt Group",
"expirationDateTime": "@{addHours(utcNow(),2)}",
- "filehashtype": "@{replace(replace(body('Parse_JSON_4')?['Algorithm'],'SHA-256', 'sha256'),'SHA-1', 'sha1')}",
- "filehashvalue": "@{body('Parse_JSON_4')?['Name']}",
"ingestedDateTime": "@{utcNow()}",
- "isActive": true,
- "targetProduct": "Microsoft Sentinel",
- "threatType": "Malware",
- "tlpLevel": "Amber"
+ "targetProduct": "Azure Sentinel",
+ "threatType": "MaliciousUrl",
+ "tlpLevel": "amber",
+ "url": "@{body('Parse_JSON')?['Name']}"
},
"host": {
"triggerName": "Batch_messages",
@@ -3861,63 +5389,24 @@
"id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]"
}
}
- }
+ },
+ "runAfter": {
+ "Parse_JSON": [
+ "Succeeded"
+ ]
+ },
+ "type": "SendToBatch"
}
},
+ "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')",
"runAfter": {
- "Recorded_Future_RiskLists_and_SCF_Download_4": [
+ "Recorded_Future_RiskLists_and_SCF_Download": [
"Succeeded"
]
},
"type": "Foreach"
},
"Recorded_Future_RiskLists_and_SCF_Download": {
- "type": "ApiConnection",
- "inputs": {
- "host": {
- "connection": {
- "name": "@parameters('$connections')['recordedfuture']['connectionId']"
- }
- },
- "method": "get",
- "path": "/fusion/files",
- "queries": {
- "path": "/public/ukraine/ukraine_russia_ip.csv"
- }
- }
- },
- "Recorded_Future_RiskLists_and_SCF_Download_2": {
- "type": "ApiConnection",
- "inputs": {
- "host": {
- "connection": {
- "name": "@parameters('$connections')['recordedfuture']['connectionId']"
- }
- },
- "method": "get",
- "path": "/fusion/files",
- "queries": {
- "path": "/public/ukraine/ukraine_russia_domain.csv"
- }
- }
- },
- "Recorded_Future_RiskLists_and_SCF_Download_3": {
- "type": "ApiConnection",
- "inputs": {
- "host": {
- "connection": {
- "name": "@parameters('$connections')['recordedfuture']['connectionId']"
- }
- },
- "method": "get",
- "path": "/fusion/files",
- "queries": {
- "path": "/public/ukraine/ukraine_russia_url.csv"
- }
- }
- },
- "Recorded_Future_RiskLists_and_SCF_Download_4": {
- "type": "ApiConnection",
"inputs": {
"host": {
"connection": {
@@ -3927,9 +5416,25 @@
"method": "get",
"path": "/fusion/files",
"queries": {
- "path": "/public/ukraine/ukraine_russia_hash.csv"
+ "path": "/public/MicrosoftAzure/url_insikt.json"
}
- }
+ },
+ "type": "ApiConnection"
+ }
+ },
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "type": "Object"
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "recurrence": {
+ "frequency": "Hour",
+ "interval": 2
+ },
+ "type": "Recurrence"
}
}
},
@@ -3937,38 +5442,21 @@
"$connections": {
"value": {
"recordedfuture": {
- "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]",
- "connectionName": "[[variables('RecordedfutureConnectionName')]",
- "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]"
+ "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',variables('workspace-location-inline'),'/managedApis/recordedfuturev2')]",
+ "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]",
+ "connectionName": "[[variables('RecordedFutureConnectionName')]"
}
}
}
}
- },
- "name": "[[parameters('PlaybookName')]",
- "type": "Microsoft.Logic/workflows",
- "location": "[[variables('workspace-location-inline')]",
- "tags": {
- "hidden-SentinelTemplateName": "RecordedFuture_Ukraine_Detection_IndicatorProcessor",
- "hidden-SentinelTemplateVersion": "1.0",
- "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]"
- },
- "identity": {
- "type": "SystemAssigned"
- },
- "apiVersion": "2017-07-01",
- "dependsOn": [
- "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]"
- ]
+ }
},
{
"type": "Microsoft.Web/connections",
"apiVersion": "2016-06-01",
- "name": "[[variables('RecordedfutureConnectionName')]",
+ "name": "[[variables('RecordedFutureConnectionName')]",
"location": "[[variables('workspace-location-inline')]",
- "kind": "V1",
"properties": {
- "displayName": "[[variables('RecordedfutureConnectionName')]",
"api": {
"id": "[[variables('_connection-2')]"
}
@@ -3977,12 +5465,12 @@
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId7'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId14'),'/'))))]",
"properties": {
- "parentId": "[variables('playbookId7')]",
- "contentId": "[variables('_playbookContentId7')]",
+ "parentId": "[variables('playbookId14')]",
+ "contentId": "[variables('_playbookContentId14')]",
"kind": "Playbook",
- "version": "[variables('playbookVersion7')]",
+ "version": "[variables('playbookVersion14')]",
"source": {
"kind": "Solution",
"name": "Recorded Future",
@@ -4002,8 +5490,8 @@
}
],
"metadata": {
- "title": "RecordedFuture-Ukraine-IndicatorProcessor",
- "description": "This playbook leverages the Recorded Future API and automatically imports the Ukraine RiskLists, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.",
+ "title": "RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor",
+ "description": "**[Deprecated]**\nDeprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution.\n\nThis playbook leverages the Recorded Future API and automatically imports the Recently Reported by Insikt Group URL RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.",
"prerequisites": [
"First install the RecordedFuture-ImportToSentinel playbook.",
"To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials"
@@ -4011,71 +5499,70 @@
"postDeployment": [
"After deployment you have to open the playbook to configure all connections and press save."
],
- "lastUpdateTime": "2022-09-20T00:00:00Z",
+ "lastUpdateTime": "2022-08-09T00:00:00Z",
"tags": [
+ "Deprecated",
"Threat Intelligence"
],
- "releaseNotes": {
- "version": "1.0",
- "title": "[variables('blanks')]",
- "notes": [
- "Initial version"
- ]
- }
+ "releaseNotes": [
+ {
+ "version": "1.1",
+ "title": "Deprecated",
+ "notes": [
+ "Deprecated in favor for the new IndicatorImport playbooks. More information can be found in the readme on Github https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded%20Future/Playbooks/readme.md",
+ "Once a new IndicatorImport playbook is installed downloading the same risk list. Deactivate or delete this playbook."
+ ]
+ },
+ {
+ "version": "1.0",
+ "title": "RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor",
+ "notes": [
+ "Initial version"
+ ]
+ }
+ ]
}
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2022-02-01",
- "name": "[variables('playbookTemplateSpecName8')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
- "properties": {
- "description": "RecordedFuture-Sandbox_Enrichment-Url playbook",
- "displayName": "RecordedFuture-Sandbox_Enrichment-Url playbook"
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_playbookContentId14')]",
+ "contentKind": "Playbook",
+ "displayName": "RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor",
+ "contentProductId": "[variables('_playbookcontentProductId14')]",
+ "id": "[variables('_playbookcontentProductId14')]",
+ "version": "[variables('playbookVersion14')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2022-02-01",
- "name": "[concat(variables('playbookTemplateSpecName8'),'/',variables('playbookVersion8'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('playbookTemplateSpecName15')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Playbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('playbookTemplateSpecName8'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "RecordedFuture-Sandbox_Enrichment-Url Playbook with template version 2.4.0",
+ "description": "RecordedFuture-Ukraine-IndicatorProcessor Playbook with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('playbookVersion8')]",
+ "contentVersion": "[variables('playbookVersion15')]",
"parameters": {
"PlaybookName": {
- "defaultValue": "RecordedFuture-Sandbox_Enrichment-Url",
+ "defaultValue": "RecordedFuture-Ukraine-IndicatorProcessor",
"type": "string"
},
- "Sandbox API Key": {
- "type": "string",
- "metadata": {
- "description": "Enter value for Sandbox API Key. Retrive API Key from [Recorded Future Portal](https://sandbox.recordedfuture.com/account)"
- }
+ "PlaybookNameBatching": {
+ "defaultValue": "RecordedFuture-ImportToSentinel",
+ "type": "string"
}
},
"variables": {
- "RecordedfutureConnectionName": "[[concat('', parameters('PlaybookName'))]",
- "MicrosoftSentinelConnectionName": "[[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
- "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/recordedfuturesandbo')]",
+ "RecordedfutureConnectionName": "recordedfuture-connectorv2",
+ "connection-2": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]",
"_connection-2": "[[variables('connection-2')]",
- "connection-3": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]",
- "_connection-3": "[[variables('connection-3')]",
"workspace-location-inline": "[concat('[resourceGroup().locatio', 'n]')]",
"workspace-name": "[parameters('workspace')]",
"workspaceResourceId": "[[resourceId('microsoft.OperationalInsights/Workspaces', variables('workspace-name'))]"
@@ -4091,195 +5578,556 @@
"parameters": {
"$connections": {
"type": "Object"
- },
- "Sandbox API Key": {
- "defaultValue": "[[parameters('Sandbox API Key')]",
- "type": "string"
}
},
"triggers": {
- "Microsoft_Sentinel_incident": {
- "type": "ApiConnectionWebhook",
- "inputs": {
- "body": {
- "callback_url": "@{listCallbackUrl()}"
- },
- "host": {
- "connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
- }
- },
- "path": "/incident-creation"
- }
- }
- },
- "actions": {
- "Entities_-_Get_URLs": {
- "type": "ApiConnection",
- "inputs": {
- "body": "@triggerBody()?['object']?['properties']?['relatedEntities']",
- "host": {
- "connection": {
- "name": "@parameters('$connections')['azuresentinel']['connectionId']"
- }
- },
- "method": "post",
- "path": "/entities/url"
- }
- },
+ "Recurrence": {
+ "recurrence": {
+ "frequency": "Day",
+ "interval": 1
+ },
+ "evaluatedRecurrence": {
+ "frequency": "Day",
+ "interval": 1
+ },
+ "type": "Recurrence"
+ }
+ },
+ "actions": {
"For_each": {
- "foreach": "@body('Entities_-_Get_URLs')?['URLs']",
+ "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')",
"actions": {
- "Add_comment_to_incident_(V3)": {
+ "Parse_JSON": {
+ "type": "ParseJson",
+ "inputs": {
+ "content": "@items('For_each')",
+ "schema": {
+ "properties": {
+ "EvidenceDetails": {
+ "properties": {
+ "EvidenceDetails": {
+ "items": {
+ "properties": {
+ "Criticality": {
+ "type": "integer"
+ },
+ "CriticalityLabel": {
+ "type": "string"
+ },
+ "EvidenceString": {
+ "type": "string"
+ },
+ "Rule": {
+ "type": "string"
+ },
+ "Timestamp": {
+ "type": "integer"
+ }
+ },
+ "required": [
+ "Rule",
+ "EvidenceString",
+ "CriticalityLabel",
+ "Timestamp",
+ "Criticality"
+ ],
+ "type": "object"
+ },
+ "type": "array"
+ }
+ },
+ "type": "object"
+ },
+ "Name": {
+ "type": "string"
+ },
+ "Risk": {
+ "type": "integer"
+ },
+ "riskString": {
+ "type": "string"
+ }
+ },
+ "type": "object"
+ }
+ }
+ },
+ "RecordedFuture_Ukraine_Detection_ImportToSentinel": {
"runAfter": {
- "Get_the_full_report": [
+ "Parse_JSON": [
"Succeeded"
]
},
- "type": "ApiConnection",
+ "type": "SendToBatch",
"inputs": {
- "body": {
- "incidentArmId": "@triggerBody()?['object']?['id']",
- "message": "@{body('Get_the_full_report')?['html_report']}
" + "batchName": "RFImportToSentinel", + "content": { + "action": "alert", + "additionalInformation": "@{body('Parse_JSON')?['EvidenceDetails']}", + "azureTenantId": "[[subscription().tenantId]", + "confidence": "@int(body('Parse_JSON')?['Risk'])", + "description": "Recorded Future - Ukraine IP Detection", + "expirationDateTime": "@{addDays(utcNow(),1)}", + "ingestedDateTime": "@{utcNow()}", + "isActive": true, + "networkIPv4": "@{body('Parse_JSON')?['Name']}", + "targetProduct": "Azure Sentinel", + "threatType": "WatchList", + "tlpLevel": "Amber" }, "host": { - "connection": { - "name": "@parameters('$connections')['azuresentinel']['connectionId']" + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" } - }, - "method": "post", - "path": "/Incidents/Comment" + } + } + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_2": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download_2')", + "actions": { + "Parse_JSON_2": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each_2')", + "schema": { + "properties": { + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "Criticality" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "riskString": { + "type": "string" + } + }, + "type": "object" + } } }, - "Get_the_full_report": { + "RecordedFuture_Ukraine_Detection_ImportToSentinel_2": { "runAfter": { - "Wait_for_sandbox_report": [ + "Parse_JSON_2": [ "Succeeded" ] }, - "type": "ApiConnection", + "type": "SendToBatch", "inputs": { - "headers": { - "SandboxToken": "@parameters('Sandbox API Key')" + "batchName": "RFImportToSentinel", + "content": { + "action": "alert", + "additionalInformation": "@{body('Parse_JSON_2')?['EvidenceDetails']}", + "azureTenantId": "[[subscription().tenantId]", + "confidence": "@int(body('Parse_JSON_2')?['Risk'])", + "description": "Recorded Future - Ukraine Domain Detection", + "domainName": "@{body('Parse_JSON_2')?['Name']}", + "expirationDateTime": "@{addHours(utcNow(),2)}", + "ingestedDateTime": "@{utcNow()}", + "isActive": true, + "targetProduct": "Microsoft Sentinel", + "threatType": "WatchList", + "tlpLevel": "Amber" }, "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" } - }, - "method": "get", - "path": "/samples/@{encodeURIComponent(body('Get_the_full_summary')?['id'])}/overview.json" + } + } + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download_2": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_3": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download_3')", + "actions": { + "Parse_JSON_3": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each_3')", + "schema": { + "properties": { + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "Criticality" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "riskString": { + "type": "string" + } + }, + "type": "object" + } } }, - "Initialize_Sandbox_status": { + "RecordedFuture_Ukraine_Detection_ImportToSentinel_3": { "runAfter": { - "Submit_url_samples": [ + "Parse_JSON_3": [ "Succeeded" ] }, - "type": "SetVariable", - "inputs": { - "name": "sandbox_status", - "value": "@body('Submit_url_samples')?['status']" - } - }, - "Submit_url_samples": { - "type": "ApiConnection", + "type": "SendToBatch", "inputs": { - "body": { - "url": "@items('For_each')?['Url']" - }, - "headers": { - "Content-Type": "application/json", - "SandboxToken": "@parameters('Sandbox API Key')" + "batchName": "RFImportToSentinel", + "content": { + "action": "alert", + "additionalInformation": "@{body('Parse_JSON_3')?['EvidenceDetails']}", + "azureTenantId": "[[subscription().tenantId]", + "confidence": "@int(body('Parse_JSON_3')?['Risk'])", + "description": "Recorded Future - Ukraine Url Detection", + "expirationDateTime": "@{addHours(utcNow(),2)}", + "ingestedDateTime": "@{utcNow()}", + "isActive": true, + "targetProduct": "Microsoft Sentinel", + "threatType": "MaliciousUrl", + "tlpLevel": "Amber", + "url": "@{body('Parse_JSON_3')?['Name']}" }, "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" } - }, - "method": "post", - "path": "/samples/url" + } } - }, - "Wait_for_sandbox_report": { - "actions": { - "Delay": { - "runAfter": { - "Set_sandbox_status": [ - "Succeeded" - ] - }, - "type": "Wait", - "inputs": { - "interval": { - "count": 2, - "unit": "Minute" - } - } - }, - "Get_the_full_summary": { - "type": "ApiConnection", - "inputs": { - "headers": { - "SandboxToken": "@parameters('Sandbox API Key')" + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download_3": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "For_each_4": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download_4')", + "actions": { + "Parse_JSON_4": { + "type": "ParseJson", + "inputs": { + "content": "@items('For_each_4')", + "schema": { + "properties": { + "body": { + "items": { + "properties": { + "Algorithm": { + "type": "string" + }, + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "MitigationString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "MitigationString", + "Criticality" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "RiskString": { + "type": "string" + } + }, + "required": [ + "Name", + "Algorithm", + "Risk", + "RiskString", + "EvidenceDetails" + ], + "type": "object" + }, + "type": "array" }, - "host": { - "connection": { - "name": "@parameters('$connections')['recordedfuturesandbo']['connectionId']" - } + "headers": { + "properties": { + "CF-Cache-Status": { + "type": "string" + }, + "CF-RAY": { + "type": "string" + }, + "Cache-Control": { + "type": "string" + }, + "Content-Length": { + "type": "string" + }, + "Content-Type": { + "type": "string" + }, + "Date": { + "type": "string" + }, + "Expect-CT": { + "type": "string" + }, + "Timing-Allow-Origin": { + "type": "string" + }, + "Transfer-Encoding": { + "type": "string" + }, + "pragma": { + "type": "string" + }, + "referrer-policy": { + "type": "string" + }, + "strict-transport-security": { + "type": "string" + }, + "x-content-type-options": { + "type": "string" + }, + "x-frame-options": { + "type": "string" + }, + "x-ms-apihub-cached-response": { + "type": "string" + }, + "x-ms-apihub-obo": { + "type": "string" + }, + "x-rf-proxy-basepath": { + "type": "string" + }, + "x-rf-proxy-serviceid": { + "type": "string" + }, + "x-xss-protection": { + "type": "string" + } + }, + "type": "object" }, - "method": "get", - "path": "/samples/@{encodeURIComponent(body('Submit_url_samples')?['id'])}" - } - }, - "Set_sandbox_status": { - "runAfter": { - "Get_the_full_summary": [ - "Succeeded" - ] + "statusCode": { + "type": "integer" + } }, - "type": "SetVariable", - "inputs": { - "name": "sandbox_status", - "value": "@body('Get_the_full_summary')?['status']" + "type": "object" + } + } + }, + "RecordedFuture_Ukraine_Detection_ImportToSentinel_4": { + "runAfter": { + "Parse_JSON_4": [ + "Succeeded" + ] + }, + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": { + "action": "alert", + "additionalInformation": "@{body('Parse_JSON_4')?['EvidenceDetails']}", + "azureTenantId": "[[subscription().tenantId]", + "confidence": "@int(body('Parse_JSON_4')?['Risk'])", + "description": "Recorded Future - Ukraine File Hash Detection", + "expirationDateTime": "@{addHours(utcNow(),2)}", + "filehashtype": "@{replace(replace(body('Parse_JSON_4')?['Algorithm'],'SHA-256', 'sha256'),'SHA-1', 'sha1')}", + "filehashvalue": "@{body('Parse_JSON_4')?['Name']}", + "ingestedDateTime": "@{utcNow()}", + "isActive": true, + "targetProduct": "Microsoft Sentinel", + "threatType": "Malware", + "tlpLevel": "Amber" + }, + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" } } - }, - "runAfter": { - "Initialize_Sandbox_status": [ - "Succeeded" - ] - }, - "expression": "@equals(variables('sandbox_status'), 'reported')", - "limit": { - "count": 60, - "timeout": "PT1H" - }, - "type": "Until" + } } }, "runAfter": { - "Define_sandbox_status": [ + "Recorded_Future_RiskLists_and_SCF_Download_4": [ "Succeeded" ] }, "type": "Foreach" }, - "Define_sandbox_status": { - "runAfter": { - "Entities_-_Get_URLs": [ - "Succeeded" - ] - }, - "type": "InitializeVariable", + "Recorded_Future_RiskLists_and_SCF_Download": { + "type": "ApiConnection", "inputs": { - "variables": [ - { - "name": "sandbox_status", - "type": "string" + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" } - ] + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/ukraine/ukraine_russia_ip.csv" + } + } + }, + "Recorded_Future_RiskLists_and_SCF_Download_2": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/ukraine/ukraine_russia_domain.csv" + } + } + }, + "Recorded_Future_RiskLists_and_SCF_Download_3": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/ukraine/ukraine_russia_url.csv" + } + } + }, + "Recorded_Future_RiskLists_and_SCF_Download_4": { + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/ukraine/ukraine_russia_hash.csv" + } } } } @@ -4287,20 +6135,10 @@ "parameters": { "$connections": { "value": { - "azuresentinel": { - "connectionId": "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "connectionName": "[[variables('MicrosoftSentinelConnectionName')]", - "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Azuresentinel')]", - "connectionProperties": { - "authentication": { - "type": "ManagedServiceIdentity" - } - } - }, - "recordedfuturesandbo": { + "recordedfuture": { "connectionId": "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", - "connectionName": "recordedfuturesandbo", - "id": "[[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/recordedfuturesandbo')]" + "connectionName": "[[variables('RecordedfutureConnectionName')]", + "id": "[[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('workspace-location-inline'), '/managedApis/Recordedfuturev2')]" } } } @@ -4309,56 +6147,317 @@ "name": "[[parameters('PlaybookName')]", "type": "Microsoft.Logic/workflows", "location": "[[variables('workspace-location-inline')]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-Ukraine-IndicatorProcessor", + "hidden-SentinelTemplateVersion": "1.1", + "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + }, "identity": { "type": "SystemAssigned" }, - "tags": { - "hidden-SentinelTemplateName": "RecordedFuture-Sandbox_Enrichment-Url", - "hidden-SentinelTemplateVersion": "1.0", - "hidden-SentinelWorkspaceId": "[[variables('workspaceResourceId')]" + "apiVersion": "2019-05-01", + "dependsOn": [ + "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[[variables('RecordedfutureConnectionName')]", + "location": "[[variables('workspace-location-inline')]", + "kind": "V1", + "properties": { + "displayName": "[[variables('RecordedfutureConnectionName')]", + "api": { + "id": "[[variables('_connection-2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId15'),'/'))))]", + "properties": { + "parentId": "[variables('playbookId15')]", + "contentId": "[variables('_playbookContentId15')]", + "kind": "Playbook", + "version": "[variables('playbookVersion15')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + } + } + } + ], + "metadata": { + "title": "RecordedFuture-Ukraine-IndicatorProcessor", + "description": "**[Deprecated]**\nDeprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution.\n\nThis playbook leverages the Recorded Future API and automatically imports the Ukraine RiskLists, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.", + "prerequisites": [ + "First install the RecordedFuture-ImportToSentinel playbook.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials" + ], + "postDeployment": [ + "After deployment you have to open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2023-09-13T00:00:00Z", + "tags": [ + "Deprecated", + "Threat Intelligence" + ], + "releaseNotes": [ + { + "version": "1.1", + "title": "Deprecated", + "notes": [ + "Deprecated in favor for the new IndicatorImport playbooks. More information can be found in the readme on Github https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded%20Future/Playbooks/readme.md", + "Once a new IndicatorImport playbook is installed downloading the same risk list. Deactivate or delete this playbook." + ] + }, + { + "version": "1.0", + "title": "RecordedFuture-Ukraine-IndicatorProcessor", + "notes": [ + "Initial version" + ] + } + ] + } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_playbookContentId15')]", + "contentKind": "Playbook", + "displayName": "RecordedFuture-Ukraine-IndicatorProcessor", + "contentProductId": "[variables('_playbookcontentProductId15')]", + "id": "[variables('_playbookcontentProductId15')]", + "version": "[variables('playbookVersion15')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFuturePlaybookAlertOverviewWorkbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion1')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId1')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer." + }, + "properties": { + "displayName": "[parameters('workbook1-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Playbook Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Playbook Alerts. This workbook visualize data that is retrived by the ```Recorded Future Playbook Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePlaybookAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":259200000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Playbook Alerts Log Table\",\"type\":2,\"description\":\"Run the Recorded Future Playbook Alert Importer Playbook first.\",\"isRequired\":true,\"query\":\"search *\\n| where $table endswith \\\"_CL\\\" \\n| distinct $table\\n\",\"timeContext\":{\"durationMs\":604800000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePlaybookAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"categories\",\"label\":\"Category\",\"type\":2,\"description\":\"Filter categories you're looking at\",\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct rule_label_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"a0947450-1ebd-4dea-94d7-41a751c79237\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"status\",\"label\":\"Alert Status\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct status_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},{\"id\":\"25a82661-1700-43a6-ba7a-b3ae5d8fe7b9\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"priority\",\"label\":\"Alert Priority\",\"type\":2,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct priority_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":172800000},\"timeContextFromParameter\":\"time_picker\",\"defaultValue\":\"value::all\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t\\n| summarize alert_count = count() by rule_label_s\\n| project alert_count, Alert = rule_label_s\",\"size\":0,\"title\":\"Top Categories Triggered\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct id_s, rule_label_s, updated_date_t\\n| summarize Alert=count() by bin(updated_date_t, 1h)\\n\",\"size\":0,\"title\":\"Playbook Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where rule_label_s in ({categories:value})\\n| where status_s in ({status:value}) \\n| where priority_s in ({priority:value})\\n| distinct updated_date_t, title_s, rule_label_s, status_s, priority_s, link_s, evidence_summary_s, targets_s, created_date_t, id_s\\n| project-rename Updated=updated_date_t, Title=title_s, Category=rule_label_s, Status=status_s, Priority=priority_s, Created=created_date_t, Targets=targets_s, [\\\"Evidence\\\"]=evidence_summary_s, [\\\"External Link\\\"]=link_s, ID=id_s\\n\\n\",\"size\":0,\"title\":\"Triggered Playbook Alerts\",\"noDataMessage\":\"No data in Playbook Alert custom log. Check that playbook/logic apps is running without errors and rules for playbook alerts is setup in Recorded Future Portal.\",\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"id_s\",\"exportParameterName\":\"exported_alert_id\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Title\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true}},{\"columnMatch\":\"Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}},{\"columnMatch\":\"ID\",\"formatter\":5}],\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Updated\",\"sortOrder\":2}]},\"name\":\"query - 8\"}],\"fromTemplateId\":\"sentinel-RecordedFuturePlaybookAlertOverview\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFuturePlaybookAlertOverviewWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Recorded Future - Playbook Alerts Overview; templateRelativePath=RecordedFuturePlaybookAlertOverview.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId1')]", + "contentId": "[variables('_workbookContentId1')]", + "kind": "Workbook", + "version": "[variables('workbookVersion1')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "RecordedFuturePlaybookAlerts_CL", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName2')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureAlertOverviewWorkbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId2')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer." }, - "apiVersion": "2017-07-01", - "dependsOn": [ - "[[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", - "[[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" - ] + "properties": { + "displayName": "[parameters('workbook2-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future Alerts\\n---\\n\\nWorkbook to display and analyze Recorded Future Alerts. This workbook visualize data that is retrived by the ```Recorded Future Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePortalAlerts_CL table.\",\"style\":\"info\"},\"name\":\"text - 2\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"8e8c2f1a-d25d-49d1-a217-9831dbc4f919\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"time_picker\",\"label\":\"Time Picker\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":86400000}},{\"id\":\"f8d34a51-ba10-4241-abff-cb6c14b50a55\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"log_table\",\"label\":\"Alerts Log Table\",\"type\":2,\"isRequired\":true,\"query\":\"search \\\"*\\\" | summarize count() by $table | sort by count_ desc | where $table endswith \\\"CL\\\" | project $table\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"RecordedFuturePortalAlerts_CL\"},{\"id\":\"89279a9c-af9e-4734-8a98-21aa1f2fa545\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"alert_rules\",\"label\":\"Alert Rules\",\"type\":2,\"description\":\"Filter alert rules you're looking at\",\"isRequired\":true,\"multiSelect\":true,\"quote\":\"'\",\"delimiter\":\",\",\"query\":\"{log_table}\\n| distinct RuleName_s\",\"typeSettings\":{\"additionalResourceOptions\":[\"value::all\"],\"showDefault\":false},\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":[\"value::all\"]}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize alert_count = count() by RuleName_s\\n| project alert_count, Alert = RuleName_s\\n\",\"size\":0,\"title\":\"Top Rules Triggered\",\"noDataMessage\":\"There are no alerts within this time frame.\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"50\",\"name\":\"query - 2\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n| distinct AlertID_s, RuleName_s, Triggered_t\\n| summarize Alert=count() by bin(Triggered_t, 1h)\\n\",\"size\":0,\"title\":\"Alerts triggered over time\",\"timeContextFromParameter\":\"time_picker\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"categoricalbar\"},\"customWidth\":\"50\",\"name\":\"query - 2 - Copy\",\"styleSettings\":{\"maxWidth\":\"70\"}},{\"type\":11,\"content\":{\"version\":\"LinkItem/1.0\",\"style\":\"tabs\",\"links\":[{\"id\":\"20edde78-9485-4056-8eca-6ef7cd86c8b5\",\"cellValue\":\"TAB\",\"linkTarget\":\"parameter\",\"linkLabel\":\"Alert\",\"subTarget\":\"Reference\",\"preText\":\"Some thing\",\"postText\":\"Some thing\",\"style\":\"link\"}]},\"name\":\"links - 5\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where RuleName_s in ({alert_rules:value})\\n//| where Documents_s != \\\"[]\\\"\\n//| distinct AlertID_s, AlertName_s, Documents_s, Entity_description_s, Entity_id_s, Entity_name_s, Entity_type_s, Risk_criticalityLabel_s, \\n//Risk_criticality_d, Risk_documents_s, Risk_evidence_s, RuleName_s, Trend_documents_s, Trend_name_s, Trend_strengthLabel_s, Trend_strength_d, Triggered_t\\n| distinct Triggered = Triggered_t, [\\\"Alert ID\\\"]=AlertID_s, [\\\"Alert Name\\\"]=AlertName_s, [\\\"Rule Name\\\"]=RuleName_s, [\\\"External Link\\\"]= URL_s\\n\\n\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportFieldName\":\"Alert ID\",\"exportParameterName\":\"Ref_AlertID\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"External Link\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}},{\"columnMatch\":\"Recorded Future Portal\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\"}},{\"columnMatch\":\"URL\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"Url\",\"linkLabel\":\"Recorded Future\"}}],\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"Triggered\",\"sortOrder\":2}]},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{log_table:value}\\n| where AlertID_s == \\\"{Ref_AlertID}\\\"\\n| project Fragment=Fragment_s, Source=Documents_source_name_s, Title=Documents_title_s, URL=Document_url_s, AlertName = RuleName_s, AlertID=AlertID_s, entities=parse_json(Entity_s)\\n| mv-apply with_itemindex=i entities on (\\n extend p = pack(strcat(\\\"Entity \\\", i+1), strcat(entities.type, \\\", \\\", entities.name, \\\", id:\\\", entities.id))\\n | summarize b = make_bag(p)\\n)\\n| evaluate bag_unpack(b)\\n| project-reorder Fragment, Source, Title, URL, Entity*\\n\\n\",\"size\":0,\"timeContextFromParameter\":\"time_picker\",\"exportedParameters\":[{\"fieldName\":\"Fragment\",\"parameterName\":\"FragmentRef\",\"parameterType\":1},{\"fieldName\":\"Title\",\"parameterName\":\"TitleRef\",\"parameterType\":1}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Fragment\",\"formatter\":7,\"formatOptions\":{\"linkTarget\":\"GenericDetails\",\"linkIsContextBlade\":true},\"tooltipFormat\":{\"tooltip\":\"{0}\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference View\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**Document Title**\\r\\n{TitleRef}\"},\"name\":\"text - 3\"},{\"type\":1,\"content\":{\"json\":\"**Fragment**\\r\\n{FragmentRef}\\r\\n\\r\\n\\r\\n\"},\"showPin\":false,\"name\":\"Fragment\"}]},\"name\":\"group - 4\"}]},\"conditionalVisibility\":{\"parameterName\":\"TAB\",\"comparison\":\"isEqualTo\",\"value\":\"Reference\"},\"name\":\"Reference Alerts\"}],\"fromTemplateId\":\"sentinel-RecordedFutureAlertOverviewWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } }, { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('RecordedfutureConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", "properties": { - "displayName": "[[variables('RecordedfutureConnectionName')]", - "api": { - "id": "[[variables('_connection-2')]" + "description": "@{workbookKey=RecordedFutureAlertOverviewWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Recorded Future - Alerts Overview; templateRelativePath=RecordedFutureAlertOverview.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId2')]", + "contentId": "[variables('_workbookContentId2')]", + "kind": "Workbook", + "version": "[variables('workbookVersion2')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "RecordedFuturePortalAlerts_CL", + "kind": "DataType" + } + ] } } - }, + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId2')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook2-name')]", + "contentProductId": "[variables('_workbookcontentProductId2')]", + "id": "[variables('_workbookcontentProductId2')]", + "version": "[variables('workbookVersion2')]" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName3')]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "RecordedFutureDomainCorrelationWorkbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion3')]", + "parameters": {}, + "variables": {}, + "resources": [ { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "name": "[[variables('MicrosoftSentinelConnectionName')]", - "location": "[[variables('workspace-location-inline')]", - "kind": "V1", + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId3')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + }, "properties": { - "displayName": "[[variables('MicrosoftSentinelConnectionName')]", - "parameterValueType": "Alternative", - "api": { - "id": "[[variables('_connection-3')]" - } + "displayName": "[parameters('workbook3-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Domain Correlation \\n\\nRecorded Future’s Domain Correlation Workbook helps you detect malicious domains within your environment by correlating your logs with Recorded Future Domain Risk Lists.\\n\\n### How to Correlate Domains\\n\\nTo correlate domains, follow the steps below:\\n\\n1. In the **Domain Logs Table** dropdown, select a log table that contains domain logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with domains** dropdown, select the log field that holds the domains to be correlated.\\n\\t* The workbook can correlate domains in the format: `domainName.net`.\\n3. Select a Recorded Future Domain Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table \\t | Field |\\n| ----------- \\t | ----------- |\\n| DNSEvents | Name |\\n| _Im_Dns \\t | DnsQuery |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Domains (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":604800000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Table\",\"label\":\"Domain Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Domain_Logs_Field\",\"label\":\"Log Field with Domains\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Domain_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Domain_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":604800000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(DomainName)\\n| where Description contains \\\"Recorded Future\\\"\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - DOMAIN - Default RiskList\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"customWidth\":\"100\",\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| extend parts = split(DomainName, '.')\\n| extend tld = parts[(array_length(parts)-1)]\\n| summarize count() by tostring(tld)\\n| summarize make_list(tld);\\nThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Active == true\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\n| where Description == {RF_Risk_list:value}\\n// Picking up only IOC's that contain the entities we want\\n| where isnotempty(DomainName)\\n| where isnotempty(Tags)\\n| join (\\n {Domain_Logs_Table:value}\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\n //Extract Domain patterns from syslog message\\n | where isnotempty({Domain_Logs_Field:value})\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\n //Split out the TLD\\n | extend tld = parts[(array_length(parts)-1)]\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\n | where tld in~ (list_tlds)\\n | extend DNS_TimeGenerated = TimeGenerated\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\n| summarize Correlation_Matches=count() by bin(DNS_TimeGenerated, 1d)\\n| render barchart\",\"size\":0,\"title\":\"Detected Domains Per Day\",\"noDataMessage\":\"No detected domains\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"100\",\"name\":\"query - 1\"}]},\"customWidth\":\"100\",\"name\":\"group - 14\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains\\n\\nThe Detected Domains table lists domains from the correlated logs that have been matched with Recorded Future Domain Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the domain (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Domain:** The detected domain.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the domain (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Domain=DomainName, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(DNS_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Domain, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Domain, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected Domains\",\"noDataMessage\":\"No detected domains\",\"exportFieldName\":\"Domain\",\"exportParameterName\":\"MaliciousDomainMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == {RF_Risk_list:value}\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {Domain_Logs_Table:value}\\r\\n | where TimeGenerated {Domain_Logs_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty({Domain_Logs_Field:value})\\r\\n | extend parts = split({Domain_Logs_Field:value}, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, DomainName, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Domains: Evidence Details\\n\\nTo view evidence details, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where DomainName == \\\"{MaliciousDomainMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString'] \\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"70%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 3\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Domain_Logs_Table:value}\\nTo view source data of correlated domain, click a row (domain) in the Detected Domains table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Domain_Logs_Table:value}\\n| where TimeGenerated {Domain_Logs_Time_Range:query}\\n| where {Domain_Logs_Field:value} == \\\"{MaliciousDomainMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousDomainMatch\",\"comparison\":\"isNotEqualTo\",\"value\":\"\"},\"name\":\"query - 1\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureDomainCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Playbook-', last(split(variables('playbookId8'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId3'),'/'))))]", "properties": { - "parentId": "[variables('playbookId8')]", - "contentId": "[variables('_playbookContentId8')]", - "kind": "Playbook", - "version": "[variables('playbookVersion8')]", + "description": "@{workbookKey=RecordedFutureDomainCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Domain Correlation; templateRelativePath=RecordedFutureDomainCorrelation.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId3')]", + "contentId": "[variables('_workbookContentId3')]", + "kind": "Workbook", + "version": "[variables('workbookVersion3')]", "source": { "kind": "Solution", "name": "Recorded Future", @@ -4373,81 +6472,61 @@ "email": "support@recordedfuture.com", "tier": "Partner", "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + } + ] } } } - ], - "metadata": { - "title": "RecordedFuture-Sandbox_Enrichment-Url", - "description": "This playbook will enrich url entities in an incident and send them to Recorded Future Sandbox. The result will be written as a incident comment.", - "prerequisites": "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials", - "postDeployment": [ - "After deployment you have to open the playbook to configure all connections and press save." - ], - "lastUpdateTime": "2023-03-24T00:00:00Z", - "entities": [ - "url" - ], - "tags": [ - "Enrichment" - ], - "releaseNotes": { - "version": "1.0", - "title": "[variables('blanks')]", - "notes": [ - "Initial version" - ] - } - } - } - } - }, - { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", - "name": "[variables('workbookTemplateSpecName1')]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, - "properties": { - "description": "Recorded Future Workbook with template", - "displayName": "Recorded Future workbook template" + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId3')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook3-name')]", + "contentProductId": "[variables('_workbookcontentProductId3')]", + "id": "[variables('_workbookcontentProductId3')]", + "version": "[variables('workbookVersion3')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName4')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat HuntingWorkbook with template version 2.4.0", + "description": "RecordedFutureHashCorrelationWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion1')]", + "contentVersion": "[variables('workbookVersion4')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId1')]", + "name": "[variables('workbookContentId4')]", "location": "[parameters('workspace-location')]", "kind": "shared", "apiVersion": "2021-08-01", "metadata": { - "description": "Sets the time name for DNS Events and Threat Intelligence Time Range" + "description": "Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." }, "properties": { - "displayName": "[parameters('workbook1-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future - C&C DNS Name to DNS Events - Correlation/Threat Hunting\\n\\n\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5aaf92cc-3c1e-43f0-8a2f-18a79d7c1d5d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNS_Events_Time_Range\",\"label\":\"DNS Events Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]}},{\"id\":\"eea9b6a5-76f4-4d3b-b62d-4f5e1c4173b6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Threat Intelligence Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\\r\\n| where isnotempty(DomainName)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| join (\\r\\n DnsEvents\\r\\n | where TimeGenerated {DNS_Events_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty(Name)\\r\\n | extend parts = split(Name, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.Name\\r\\n| summarize Correlation_Matches=count() by bin(DNS_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\\r\\n| where isnotempty(DomainName)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| join (\\r\\n DnsEvents\\r\\n | where TimeGenerated {DNS_Events_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty(Name)\\r\\n | extend parts = split(Name, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.Name\\r\\n| project Risk=ConfidenceScore, DomainName, ThreatType, AdditionalInformation\\r\\n| extend Evidence=parse_json(AdditionalInformation)['EvidenceDetails']\\r\\n| mv-expand Evidence\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"Rule\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let list_tlds = ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\\r\\n| where isnotempty(DomainName)\\r\\n| extend parts = split(DomainName, '.')\\r\\n| extend tld = parts[(array_length(parts)-1)]\\r\\n| summarize count() by tostring(tld)\\r\\n| summarize make_list(tld);\\r\\nThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Active == true\\r\\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\\r\\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\\r\\n// Picking up only IOC's that contain the entities we want\\r\\n| where isnotempty(DomainName)\\r\\n| join (\\r\\n DnsEvents\\r\\n | where TimeGenerated {DNS_Events_Time_Range:query}\\r\\n //Extract Domain patterns from syslog message\\r\\n | where isnotempty(Name)\\r\\n | extend parts = split(Name, '.')\\r\\n //Split out the TLD\\r\\n | extend tld = parts[(array_length(parts)-1)]\\r\\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\\r\\n | where tld in~ (list_tlds)\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n) on $left.DomainName==$right.Name\\r\\n| project Risk=ConfidenceScore, DomainName, Threat_Intelligence_IOC_Date = TimeGenerated, SourceIP=ClientIP, DNS_Event_Time = DNS_TimeGenerated, ThreatType, Device=Computer, AdditionalInformation\\r\\n| sort by Risk desc\\r\\n\",\"size\":0,\"exportFieldName\":\"DomainName\",\"exportParameterName\":\"IOC\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]},\"sortBy\":\"[variables('TemplateEmptyArray')]\"},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains 'Recorded Future - DOMAIN - C2 DNS Name'\\n| where DomainName == \\\"{IOC}\\\"\\n| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(AdditionalInformation)['EvidenceDetails']\\n| take 1\\n| mv-expand Evidence\\n| project Rules = Evidence['Rule'], Evidence_String = Evidence['EvidenceString'], Criticality = Evidence['Criticality']\\n| sort by toint(Criticality) desc\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 5\"}],\"fromTemplateId\":\"sentinel-RecordedFuture-Domain-C2DNS-Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "displayName": "[parameters('workbook4-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"🔎 Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Guide: Hash Correlation \\n\\nRecorded Future’s Hash Correlation Workbook helps you detect malicious hashes within your environment by correlating your logs with Recorded Future Hash Risk Lists.\\n\\n### How to Correlate hashs\\n\\nTo correlate hashes, follow the steps below:\\n\\n1. In the **Hash Logs Table** dropdown, select a log table that contains hash logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with hashes** dropdown, select the log field that holds the hashs to be correlated.\\n\\t* The workbook can correlate hashes in the format: `b0a0c7ae387c00161f4cc26405600b1a`.\\n3. Select a Recorded Future Hash Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n| Table \\t \\t| Field |\\n| ----------- \\t \\t| ----------- |\\n| CommonSecurityLog | FileHash |\\n| SecurityEvent \\t| FileHash |\",\"style\":\"info\"},\"name\":\"text - 0\"}]},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"group - 15\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### Hashes (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":1209600000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Table\",\"label\":\"Hash Logs Table\",\"type\":2,\"description\":\"Log Table to correlate Domains Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"EndpointProtection_HASH_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Hash_Logs_Field\",\"label\":\"Log Field with Hashes\",\"type\":2,\"description\":\"Select the field containing the Domain Name that you want to correlate against\",\"isRequired\":true,\"query\":\"{Hash_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Hash_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":1209600000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(FileHashValue)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - HASH - Observed in Underground Virus Testing Sites\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Domains Per Day\\n\\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query} \\r\\n| where Description == {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(Hash_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected File Hashes Per Day\",\"noDataMessage\":\"No detected hashes\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected Hashs\\n\\nThe Detected Hashs table lists hashs from the correlated logs that have been matched with Recorded Future Hash Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the Hashe (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **Hash:** The detected hash.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the hash (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, Hash=FileHashValue, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = format_datetime(Hash_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by Hash, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], Hash, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected Hashes\",\"noDataMessage\":\"No detected hashes\",\"exportedParameters\":[{\"fieldName\":\"Hash\",\"parameterName\":\"MaliciousHashMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| extend FileHashValue = tolower(FileHashValue)\\r\\n| join (\\r\\n {Hash_Logs_Table:value}\\r\\n | where TimeGenerated {Hash_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend Hash_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, FileHashValue, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected Hashes: Evidence Details\\n\\nTo view evidence details, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| extend FileHashValue = tolower(FileHashValue)\\n| where FileHashValue == \\\"{MaliciousHashMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"No evidence details to show\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {Hash_Logs_Table:value}\\n\\nTo view source data of correlated hash, click a row (hash) in the Detected Hashes table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{Hash_Logs_Table:value}\\n| where TimeGenerated {Hash_Logs_Time_Range:query}\\n| where {Hash_Logs_Field:value} == \\\"{MaliciousHashMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousHashMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 8\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureHashCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -4456,13 +6535,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId4'),'/'))))]", "properties": { - "description": "@{workbookKey=RecordedFutureDomainC2DNSWorkbook; logoFileName=RecordedFuture.svg; description=Sets the time name for DNS Events and Threat Intelligence Time Range; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting; templateRelativePath=Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId1')]", - "contentId": "[variables('_workbookContentId1')]", + "description": "@{workbookKey=RecordedFutureHashCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - Hash Correlation; templateRelativePath=RecordedFutureHashCorrelation.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId4')]", + "contentId": "[variables('_workbookContentId4')]", "kind": "Workbook", - "version": "[variables('workbookVersion1')]", + "version": "[variables('workbookVersion4')]", "source": { "kind": "Solution", "name": "Recorded Future", @@ -4490,55 +6569,132 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId4')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook4-name')]", + "contentProductId": "[variables('_workbookcontentProductId4')]", + "id": "[variables('_workbookcontentProductId4')]", + "version": "[variables('workbookVersion4')]" } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2022-02-01", - "name": "[variables('workbookTemplateSpecName2')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName5')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], "properties": { - "description": "Recorded Future Workbook with template", - "displayName": "Recorded Future workbook template" + "description": "RecordedFutureIPCorrelationWorkbook Workbook with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('workbookVersion5')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.Insights/workbooks", + "name": "[variables('workbookContentId5')]", + "location": "[parameters('workspace-location')]", + "kind": "shared", + "apiVersion": "2021-08-01", + "metadata": { + "description": "Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." + }, + "properties": { + "displayName": "[parameters('workbook5-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"041885bf-2e2c-42ae-ad35-2e12272b4dc4\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"typeSettings\":{\"additionalResourceOptions\":\"[variables('TemplateEmptyArray')]\"},\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 6\"},{\"type\":1,\"content\":{\"json\":\"### Guide: IP Correlation \\n\\nRecorded Future’s IP Correlation Workbook helps you detect malicious IPs within your environment by correlating your logs with Recorded Future IP Risk Lists.\\n\\n### How to Correlate IPs\\n\\nTo correlate IPs, follow the steps below:\\n\\n1. In the **IP Logs Table** dropdown, select a log table that contains IP logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with IPs** dropdown, select the log field that holds the IPs to be correlated.\\n\\t* The workbook can correlate IPs in the format: `5.56.61.62`.\\n3. Select a Recorded Future IP Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n\\n| Table | Field | Table | Field |\\n|------------------------------|--------------------|---------------------------------|-----------|\\n| AzureActivity | CallerIpAddress | VMConnection | RemoteIp |\\n| AzureDiagnostics | CallerIPAddress | W3CIISLog | cIP |\\n| AWSCloudTrail | SourceIpAddress | _Im_NetworkSession | SrcIpAddr |\\n| AppServiceHTTPLogs | CIp | _Im_NetworkSession | DstIpAddr |\\n| AzureDiagnostics | client_ip_s | _Im_WebSession | SrcIpAddr |\\n| CommonSecurityLog | SourceIpAddress | SigninLogs | IPAddress |\\n| CommonSecurityLog | DestinationIP | AADNonInteractiveUserSignInLogs | IPAddress |\\n| DuoSecurityAuthentication_CL | access_device_ip_s | | |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### IP (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Table\",\"label\":\"IP Logs Table\",\"type\":2,\"description\":\"Log Table to correlate IPs Against\",\"isRequired\":true,\"query\":\"search * \\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| summarize count() by $table \\n| sort by count_ desc \\n| where $table != \\\"ThreatIntelligenceIndicator\\\" \\n| project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"NetScreen_Firewall_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"IP_Logs_Field\",\"label\":\"Log Field with IPs\",\"type\":2,\"description\":\"Select the field containing the IP that you want to correlate against\",\"isRequired\":true,\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Dst_IPv4_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":5184000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which IP Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where isnotempty(NetworkIP)\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains \\\"Recorded Future\\\"\\n//| summarize count() by Description\\n| distinct Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - IP - Actively Communicating C&C Server\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs Per Day\\n\\nThe chart displays the number of correlation detections per day between IP logs and Recorded Future's IP Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(IP_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected IPs Per Day\",\"noDataMessage\":\"No detected IPs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected IPs\\n\\nThe Detected IPs table lists IPs from the correlated logs that have been matched with Recorded Future IP Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the IP (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **IP:** The detected IP.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the IP (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, IP=NetworkIP, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"]=format_datetime(IP_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by IP, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], IP, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\",\"size\":0,\"title\":\"Detected IPs\",\"noDataMessage\":\"No detected IPs\",\"exportedParameters\":[{\"fieldName\":\"IP\",\"parameterName\":\"MaliciousIPMatch\",\"parameterType\":5}],\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}},{\"columnMatch\":\"AdditionalInformation\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}],\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"$gen_thresholds_Risk_0\",\"sortOrder\":2}]},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {IP_Logs_Table:value}\\r\\n | where TimeGenerated {IP_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.{IP_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, NetworkIP, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected IPs: Evidence Details\\n\\nTo view evidence details, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list:value}\\n| where NetworkIP == \\\"{MaliciousIPMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Evidence_String\",\"formatter\":0,\"formatOptions\":{\"customColumnWidthSetting\":\"100%\"}}]}},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {IP_Logs_Table:value}\\nTo view source data of correlated IP, click a row (IP) in the Detected IPs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{IP_Logs_Table:value}\\n| where TimeGenerated {IP_Logs_Time_Range:query}\\n| where {IP_Logs_Field:value} == \\\"{MaliciousIPMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousIPMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 9\"}]},\"name\":\"group - 11\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureIPCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "version": "1.0", + "sourceId": "[variables('workspaceResourceId')]", + "category": "sentinel" + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId5'),'/'))))]", + "properties": { + "description": "@{workbookKey=RecordedFutureIPCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - IP Correlation; templateRelativePath=RecordedFutureIPCorrelation.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId5')]", + "contentId": "[variables('_workbookContentId5')]", + "kind": "Workbook", + "version": "[variables('workbookVersion5')]", + "source": { + "kind": "Solution", + "name": "Recorded Future", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Recorded Future Premier Integrations", + "email": "[variables('_email')]" + }, + "support": { + "name": "Recorded Future Support Team", + "email": "support@recordedfuture.com", + "tier": "Partner", + "link": "http://support.recordedfuture.com/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "ThreatIntelligenceIndicator", + "kind": "DataType" + } + ] + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId5')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook5-name')]", + "contentProductId": "[variables('_workbookcontentProductId5')]", + "id": "[variables('_workbookcontentProductId5')]", + "version": "[variables('workbookVersion5')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2022-02-01", - "name": "[concat(variables('workbookTemplateSpecName2'),'/',variables('workbookVersion2'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName6')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName2'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat HuntingWorkbook with template version 2.4.0", + "description": "RecordedFutureURLCorrelationWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", - "contentVersion": "[variables('workbookVersion2')]", + "contentVersion": "[variables('workbookVersion6')]", "parameters": {}, "variables": {}, "resources": [ { "type": "Microsoft.Insights/workbooks", - "name": "[variables('workbookContentId2')]", + "name": "[variables('workbookContentId6')]", "location": "[parameters('workspace-location')]", "kind": "shared", "apiVersion": "2021-08-01", "metadata": { - "description": "Sets the time name for DNS Events and Threat Intelligence Time Range" + "description": "Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel." }, "properties": { - "displayName": "[parameters('workbook2-name')]", - "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"## Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation/Threat Hunting\\n\\n\"},\"name\":\"text - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"5aaf92cc-3c1e-43f0-8a2f-18a79d7c1d5d\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"DNS_Events_Time_Range\",\"label\":\"DNS Events Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]}},{\"id\":\"eea9b6a5-76f4-4d3b-b62d-4f5e1c4173b6\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Threat Intelligence Time Range\",\"type\":4,\"isRequired\":true,\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 4\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains 'Recorded Future - IP - Actively Communicating C&C Server'\\r\\n| join (\\r\\n DnsEvents | where TimeGenerated {DNS_Events_Time_Range:query}\\r\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\r\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\r\\n | mvexpand SingleIP\\r\\n | extend SingleIP = tostring(SingleIP)\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.SingleIP\\r\\n| summarize Correlation_Matches=count() by bin(DNS_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains 'Recorded Future - IP - Actively Communicating C&C Server'\\r\\n| join (\\r\\n DnsEvents | where TimeGenerated {DNS_Events_Time_Range:query}\\r\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\r\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\r\\n | mvexpand SingleIP\\r\\n | extend SingleIP = tostring(SingleIP)\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.SingleIP\\r\\n| project Risk=ConfidenceScore, NetworkIP, ThreatType, AdditionalInformation\\r\\n| extend Evidence=parse_json(AdditionalInformation)['EvidenceDetails']\\r\\n| mv-expand Evidence\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}],\"labelSettings\":[{\"columnId\":\"Rule\"},{\"columnId\":\"count_\",\"label\":\"Count\"}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains 'Recorded Future - IP - Actively Communicating C&C Server'\\r\\n| join (\\r\\n DnsEvents | where TimeGenerated {DNS_Events_Time_Range:query}\\r\\n | where SubType =~ \\\"LookupQuery\\\" and isnotempty(IPAddresses)\\r\\n | extend SingleIP = split(IPAddresses, \\\",\\\")\\r\\n | mvexpand SingleIP\\r\\n | extend SingleIP = tostring(SingleIP)\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend DNS_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.NetworkIP == $right.SingleIP\\r\\n| project Risk=ConfidenceScore, DestinationIP=NetworkIP, Threat_Intelligence_IOC_Date = TimeGenerated, SourceIP=ClientIP, DNS_Event_Time = DNS_TimeGenerated, ThreatType, Device=Computer, AdditionalInformation\\r\\n| sort by Risk desc\\r\\n\",\"size\":0,\"exportFieldName\":\"DestinationIP\",\"exportParameterName\":\"IOC\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"thresholdValue\":\"[variables('blanks')]\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]},\"sortBy\":\"[variables('TemplateEmptyArray')]\"},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains 'Recorded Future - IP - Actively Communicating C&C Server'\\n| where NetworkIP == \\\"{IOC}\\\"\\n| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(AdditionalInformation)['EvidenceDetails']\\n| take 1\\n| mv-expand Evidence\\n| project Rules = Evidence['Rule'], Evidence_String = Evidence['EvidenceString'], Criticality = Evidence['Criticality']\\n| sort by toint(Criticality) desc\",\"size\":0,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 5\"}],\"fromTemplateId\":\"sentinel-RecordedFuture-IP-ActiveC2-Workbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", + "displayName": "[parameters('workbook6-name')]", + "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Help\",\"label\":\"Show Guide\",\"type\":10,\"isRequired\":true,\"jsonData\":\"[\\n {\\\"value\\\": \\\"Yes\\\", \\\"label\\\": \\\"Yes\\\", \\\"selected\\\":true},\\n {\\\"value\\\": \\\"No\\\", \\\"label\\\": \\\"No\\\"}\\n]\",\"timeContext\":{\"durationMs\":86400000},\"value\":\"No\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 7\"},{\"type\":1,\"content\":{\"json\":\"### Guide: URL Correlation \\n\\nRecorded Future’s URL Correlation Workbook helps you detect malicious URLs within your environment by correlating your logs with Recorded Future URL Risk Lists.\\n\\n### How to Correlate URLs\\n\\nTo correlate URLs, follow the steps below:\\n\\n1. In the **URL Logs Table** dropdown, select a log table that contains URL logs.\\n\\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\\n2. In the **Log field with URLs** dropdown, select the log field that holds the URLs to be correlated.\\n\\t* The workbook can correlate URLs in the format: `https://testurl.here.net`.\\n3. Select a Recorded Future URL Risk List for correlation.\\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\\n5. Done\\n\\n---\\n\\n#### Log table with examples of correlatable log fields\\n\\n| Table | Field |\\n|-------------------|------------|\\n| CommonSecurityLog | RequestURL |\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"### URL (from logs)\"},\"customWidth\":\"50\",\"name\":\"text - 2\"},{\"type\":1,\"content\":{\"json\":\"### Recorded Future Risk List\"},\"customWidth\":\"50\",\"name\":\"text - 3\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"b91b8b5b-10cf-4106-99e2-793eb0d72dce\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Time_Range\",\"label\":\"Logs from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000},\"value\":{\"durationMs\":7776000000}},{\"id\":\"3300ad41-acbc-4ebd-900a-c6ab250b7c73\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Table\",\"label\":\"URL Logs Table\",\"type\":2,\"description\":\"Log Table to correlate URLs Against\",\"isRequired\":true,\"query\":\"search \\\"*\\\" \\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| summarize count() by $table | sort by count_ desc | where $table != \\\"ThreatIntelligenceIndicator\\\" | project $table\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"Squid_Proxy_URL_CL\"},{\"id\":\"f4f77ada-b97c-4a82-9421-20a58fb7ce26\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"URL_Logs_Field\",\"label\":\"Log Field with URLs\",\"type\":2,\"description\":\"Select the field containing the URL that you want to correlate against\",\"isRequired\":true,\"query\":\"{URL_Logs_Table:value}\\n| getschema\\n| where DataType == \\\"System.String\\\"\\n| project ColumnName\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"URL_s\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 0\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"95e78560-1e69-437c-8226-7b0f8c4dc199\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"Threat_Intelligence_Time_Range\",\"label\":\"Data from\",\"type\":4,\"isRequired\":true,\"typeSettings\":{\"selectableValues\":[{\"durationMs\":300000},{\"durationMs\":900000},{\"durationMs\":1800000},{\"durationMs\":3600000},{\"durationMs\":14400000},{\"durationMs\":43200000},{\"durationMs\":86400000},{\"durationMs\":172800000},{\"durationMs\":259200000},{\"durationMs\":604800000},{\"durationMs\":1209600000},{\"durationMs\":2419200000},{\"durationMs\":2592000000},{\"durationMs\":5184000000},{\"durationMs\":7776000000}]},\"value\":{\"durationMs\":7776000000}},{\"id\":\"e7c7e2ea-f5b3-4505-b64c-b18ca8561168\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"RF_Risk_list\",\"label\":\"Risk List\",\"type\":2,\"description\":\"Which Domain Risk List do you want to correlate against\",\"isRequired\":true,\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where isnotempty(Url)\\n| where Description contains \\\"Recorded Future\\\"\\n| summarize count() by Description\\n| project output = strcat('\\\"', Description, '\\\"')\\n\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"value\":\"\\\"Recorded Future - URL - Recently Reported by Insikt Group\\\"\"}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"customWidth\":\"50\",\"name\":\"parameters - 1\"}],\"exportParameters\":true},\"name\":\"group - 10\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs Per Day\\n\\nThe chart displays the number of correlation detections per day between URL logs and Recorded Future's URL Risk lists.\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| summarize Correlation_Matches=count() by bin(URL_TimeGenerated, 1d)\\r\\n| render barchart\",\"size\":0,\"title\":\"Detected URLs Per Day\",\"noDataMessage\":\"No detected URLs\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"query - 1\"}]},\"name\":\"group - 11\"},{\"type\":12,\"content\":{\"version\":\"NotebookGroup/1.0\",\"groupType\":\"editable\",\"items\":[{\"type\":1,\"content\":{\"json\":\"\\n### Guide: Detected URLs\\n\\nThe Detected URLs table lists URLs from the correlated logs that have been matched with Recorded Future URL Risk Lists.\\n\\n**Table Columns**\\n\\n* **Risk Score:** The Recorded Future Risk Score for the URL (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\\n* **URL:** The detected URL.\\n* **Detected:** The time when the log was correlated with a Risk List.\\n* **Log Created:** The time when the log event itself was created.\\n* **Threat Classification:** The type of threat associated with the URL (IOC).\",\"style\":\"info\"},\"conditionalVisibility\":{\"parameterName\":\"Help\",\"comparison\":\"isEqualTo\",\"value\":\"Yes\"},\"name\":\"text - 0\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend IP_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project [\\\"Risk Score\\\"]=ConfidenceScore, URL=Url, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\\\"Log Created\\\"] = IP_TimeGenerated, [\\\"Threat Classification\\\"]=ThreatType\\r\\n| summarize [\\\"Log Created\\\"]=max([\\\"Log Created\\\"]) by URL, [\\\"Risk Score\\\"], Detected, [\\\"Threat Classification\\\"]\\r\\n| project [\\\"Risk Score\\\"], URL, Detected, [\\\"Log Created\\\"], [\\\"Threat Classification\\\"]\\r\\n| sort by [\\\"Risk Score\\\"] desc\\r\\n\",\"size\":0,\"title\":\"Detected URLs\",\"noDataMessage\":\"No detected URLs\",\"exportFieldName\":\"URL\",\"exportParameterName\":\"MaliciousURLMatch\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"Risk\",\"formatter\":18,\"formatOptions\":{\"thresholdsOptions\":\"colors\",\"thresholdsGrid\":[{\"operator\":\">=\",\"thresholdValue\":\"90\",\"representation\":\"redBright\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"65\",\"representation\":\"orange\",\"text\":\"{0}{1}\"},{\"operator\":\">=\",\"thresholdValue\":\"25\",\"representation\":\"yellow\",\"text\":\"{0}{1}\"},{\"operator\":\"Default\",\"representation\":\"blue\",\"text\":\"{0}{1}\"}]}}]}},\"customWidth\":\"70\",\"name\":\"query - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\r\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\r\\n| where Description contains {RF_Risk_list:value}\\r\\n| where isnotempty(Tags)\\r\\n| join (\\r\\n {URL_Logs_Table:value}\\r\\n | where TimeGenerated {URL_Logs_Time_Range:query}\\r\\n // renaming time column so it is clear the log this came from\\r\\n | extend URL_TimeGenerated = TimeGenerated\\r\\n)\\r\\non $left.Url == $right.{URL_Logs_Field:value}\\r\\n| project Risk=ConfidenceScore, Url, ThreatType, Tags\\r\\n| extend Evidence=parse_json(Tags)[0]\\r\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\r\\n| extend Rule=Evidence['Rule']\\r\\n| summarize count() by tostring(Rule)\\r\\n| sort by count_ desc\\r\\n\\r\\n\",\"size\":0,\"title\":\"Top Triggered Risk Rules\",\"noDataMessage\":\"No triggered Risk Rules\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"formatters\":[{\"columnMatch\":\"count_\",\"formatter\":8,\"formatOptions\":{\"palette\":\"orange\"}}]}},\"customWidth\":\"30\",\"name\":\"query - 2\"},{\"type\":1,\"content\":{\"json\":\"### Detected URLs: Evidence Details\\n\\nTo view evidence details, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 3\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"ThreatIntelligenceIndicator\\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\\n| where Description contains {RF_Risk_list}\\n| where Url == \\\"{MaliciousURLMatch}\\\"\\n| where isnotempty(Tags)\\n//| where ExpirationDateTime > now()\\n| extend Evidence=parse_json(Tags)[0]\\n| take 1\\n| mv-expand Evidence = parse_json(tostring(Evidence))\\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\\n| sort by toint(Criticality) desc\",\"size\":1,\"noDataMessage\":\"ExpirationDateTime\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 5\"},{\"type\":1,\"content\":{\"json\":\"\\n### Source data from {URL_Logs_Table:value}\\nTo view source data of correlated URL, click a row (URL) in the Detected URLs table.\"},\"name\":\"text - 5\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"{URL_Logs_Table:value}\\n| where TimeGenerated {URL_Logs_Time_Range:query}\\n| where {URL_Logs_Field:value} == \\\"{MaliciousURLMatch}\\\"\\n\",\"size\":1,\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"conditionalVisibility\":{\"parameterName\":\"MaliciousURLMatch\",\"comparison\":\"isNotEqualTo\"},\"name\":\"query - 6\"}]},\"name\":\"group - 10\"}],\"styleSettings\":{\"paddingStyle\":\"wide\"},\"fromTemplateId\":\"sentinel-RecordedFutureURLCorrelationWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n", "version": "1.0", "sourceId": "[variables('workspaceResourceId')]", "category": "sentinel" @@ -4547,13 +6703,13 @@ { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", "apiVersion": "2022-01-01-preview", - "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId6'),'/'))))]", "properties": { - "description": "@{workbookKey=RecordedFutureIPActiveC2Workbook; logoFileName=RecordedFuture.svg; description=Sets the time name for DNS Events and Threat Intelligence Time Range; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting; templateRelativePath=Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting.json; subtitle=; provider=Recorded Future}.description", - "parentId": "[variables('workbookId2')]", - "contentId": "[variables('_workbookContentId2')]", + "description": "@{workbookKey=RecordedFutureURLCorrelationWorkbook; logoFileName=RecordedFuture.svg; description=Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Recorded Future - URL Correlation; templateRelativePath=RecordedFutureURLCorrelation.json; subtitle=; provider=Recorded Future}.description", + "parentId": "[variables('workbookId6')]", + "contentId": "[variables('_workbookContentId6')]", "kind": "Workbook", - "version": "[variables('workbookVersion2')]", + "version": "[variables('workbookVersion6')]", "source": { "kind": "Solution", "name": "Recorded Future", @@ -4581,17 +6737,35 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId6')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook6-name')]", + "contentProductId": "[variables('_workbookcontentProductId6')]", + "id": "[variables('_workbookcontentProductId6')]", + "version": "[variables('workbookVersion6')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.4.0", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "Recorded Future", + "publisherDisplayName": "Recorded Future Support Team", + "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nRecorded Future is the worlds largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable.
\nPlaybooks have internal dependencies to RecordedFuture-ImportToSentinel so install the RecordedFuture-ImportToSentinel playbook before any of the others.
\nThis solution takes a dependency on functionality like Azure Logic Apps, Azure Monitor Logs. Some of these dependencies might result in additional ingestion or operational costs.
\n- \n
- https://learn.microsoft.com/en-us/azure/azure-monitor/logs/workspace-design \n
- https://learn.microsoft.com/en-us/azure/logic-apps/ \n
- https://learn.microsoft.com/en-us/azure/sentinel/work-with-threat-indicators \n
Workbooks: 6, Analytic Rules: 6, Playbooks: 15
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -4644,44 +6818,79 @@
},
{
"kind": "Playbook",
- "contentId": "[variables('_RecordedFuture-ImportToSentinel')]",
+ "contentId": "[variables('_RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash')]",
"version": "[variables('playbookVersion1')]"
},
{
"kind": "Playbook",
- "contentId": "[variables('_RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor')]",
+ "contentId": "[variables('_RecordedFuture-Sandbox_Enrichment-Url')]",
"version": "[variables('playbookVersion2')]"
},
{
"kind": "Playbook",
- "contentId": "[variables('_RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor')]",
+ "contentId": "[variables('_RecordedFuture-Playbook-Alert-Importer')]",
"version": "[variables('playbookVersion3')]"
},
{
"kind": "Playbook",
- "contentId": "[variables('_RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash')]",
+ "contentId": "[variables('_RecordedFuture-Alert-Importer')]",
"version": "[variables('playbookVersion4')]"
},
{
"kind": "Playbook",
- "contentId": "[variables('_RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor')]",
+ "contentId": "[variables('_RecordedFuture-ThreatIntelligenceImport')]",
"version": "[variables('playbookVersion5')]"
},
{
"kind": "Playbook",
- "contentId": "[variables('_RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor')]",
+ "contentId": "[variables('_RecordedFuture-Domain-IndicatorImport')]",
"version": "[variables('playbookVersion6')]"
},
{
"kind": "Playbook",
- "contentId": "[variables('_RecordedFuture-Ukraine-IndicatorProcessor')]",
+ "contentId": "[variables('_RecordedFuture-Hash-IndicatorImport')]",
"version": "[variables('playbookVersion7')]"
},
{
"kind": "Playbook",
- "contentId": "[variables('_RecordedFuture-Sandbox_Enrichment-Url')]",
+ "contentId": "[variables('_RecordedFuture-IP-IndicatorImport')]",
"version": "[variables('playbookVersion8')]"
},
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_RecordedFuture-URL-IndicatorImport')]",
+ "version": "[variables('playbookVersion9')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_RecordedFuture-ImportToSentinel')]",
+ "version": "[variables('playbookVersion10')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_RecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor')]",
+ "version": "[variables('playbookVersion11')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_RecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor')]",
+ "version": "[variables('playbookVersion12')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor')]",
+ "version": "[variables('playbookVersion13')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor')]",
+ "version": "[variables('playbookVersion14')]"
+ },
+ {
+ "kind": "Playbook",
+ "contentId": "[variables('_RecordedFuture-Ukraine-IndicatorProcessor')]",
+ "version": "[variables('playbookVersion15')]"
+ },
{
"kind": "Workbook",
"contentId": "[variables('_workbookContentId1')]",
@@ -4691,10 +6900,31 @@
"kind": "Workbook",
"contentId": "[variables('_workbookContentId2')]",
"version": "[variables('workbookVersion2')]"
+ },
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId3')]",
+ "version": "[variables('workbookVersion3')]"
+ },
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId4')]",
+ "version": "[variables('workbookVersion4')]"
+ },
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId5')]",
+ "version": "[variables('workbookVersion5')]"
+ },
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId6')]",
+ "version": "[variables('workbookVersion6')]"
}
]
},
"firstPublishDate": "2021-11-01",
+ "lastPublishDate": "2023-09-19",
"providers": [
"Recorded Future"
],
diff --git a/Solutions/Recorded Future/Playbooks/Images/2023-06-26-10-04-42.png b/Solutions/Recorded Future/Playbooks/Images/2023-06-26-10-04-42.png
new file mode 100644
index 00000000000..26b2cc2c862
Binary files /dev/null and b/Solutions/Recorded Future/Playbooks/Images/2023-06-26-10-04-42.png differ
diff --git a/Solutions/Recorded Future/Playbooks/Images/2023-06-26-10-59-49.png b/Solutions/Recorded Future/Playbooks/Images/2023-06-26-10-59-49.png
new file mode 100644
index 00000000000..6d351d4b0e2
Binary files /dev/null and b/Solutions/Recorded Future/Playbooks/Images/2023-06-26-10-59-49.png differ
diff --git a/Solutions/Recorded Future/Playbooks/Images/2023-08-09-18-05-46.png b/Solutions/Recorded Future/Playbooks/Images/2023-08-09-18-05-46.png
new file mode 100644
index 00000000000..99f9a201a45
Binary files /dev/null and b/Solutions/Recorded Future/Playbooks/Images/2023-08-09-18-05-46.png differ
diff --git a/Solutions/Recorded Future/Playbooks/Images/2023-09-07-11-11-09.png b/Solutions/Recorded Future/Playbooks/Images/2023-09-07-11-11-09.png
new file mode 100644
index 00000000000..52c6ee0d532
Binary files /dev/null and b/Solutions/Recorded Future/Playbooks/Images/2023-09-07-11-11-09.png differ
diff --git a/Solutions/Recorded Future/Playbooks/Images/2023-09-08-12-01-37.png b/Solutions/Recorded Future/Playbooks/Images/2023-09-08-12-01-37.png
new file mode 100644
index 00000000000..bb272c2f8c9
Binary files /dev/null and b/Solutions/Recorded Future/Playbooks/Images/2023-09-08-12-01-37.png differ
diff --git a/Solutions/Recorded Future/Playbooks/Images/2023-09-08-12-13-06.png b/Solutions/Recorded Future/Playbooks/Images/2023-09-08-12-13-06.png
new file mode 100644
index 00000000000..62de3a8c529
Binary files /dev/null and b/Solutions/Recorded Future/Playbooks/Images/2023-09-08-12-13-06.png differ
diff --git a/Solutions/Recorded Future/Playbooks/Images/2023-09-08-12-13-54.png b/Solutions/Recorded Future/Playbooks/Images/2023-09-08-12-13-54.png
new file mode 100644
index 00000000000..4b81caeb67f
Binary files /dev/null and b/Solutions/Recorded Future/Playbooks/Images/2023-09-08-12-13-54.png differ
diff --git a/Solutions/Recorded Future/Playbooks/Images/2023-09-13-15-51-44.png b/Solutions/Recorded Future/Playbooks/Images/2023-09-13-15-51-44.png
new file mode 100644
index 00000000000..18d24deeb2d
Binary files /dev/null and b/Solutions/Recorded Future/Playbooks/Images/2023-09-13-15-51-44.png differ
diff --git a/Solutions/Recorded Future/Playbooks/Images/2023-09-13-19-16-24.png b/Solutions/Recorded Future/Playbooks/Images/2023-09-13-19-16-24.png
new file mode 100644
index 00000000000..fae768a5c15
Binary files /dev/null and b/Solutions/Recorded Future/Playbooks/Images/2023-09-13-19-16-24.png differ
diff --git a/Solutions/Recorded Future/Playbooks/Images/2023-09-13-19-24-54.png b/Solutions/Recorded Future/Playbooks/Images/2023-09-13-19-24-54.png
new file mode 100644
index 00000000000..f476287777b
Binary files /dev/null and b/Solutions/Recorded Future/Playbooks/Images/2023-09-13-19-24-54.png differ
diff --git a/Solutions/Recorded Future/Playbooks/RecordedFuture-Alert-Importer/azuredeploy.json b/Solutions/Recorded Future/Playbooks/RecordedFuture-Alert-Importer/azuredeploy.json
new file mode 100644
index 00000000000..b1283a95729
--- /dev/null
+++ b/Solutions/Recorded Future/Playbooks/RecordedFuture-Alert-Importer/azuredeploy.json
@@ -0,0 +1,560 @@
+{
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "1.0.0.0",
+ "metadata": {
+ "title": "RecordedFuture-Alert-Importer",
+ "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace. It can create alerts dependant on the parameter: create_incident. ",
+ "prerequisites": [
+ "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials"
+ ],
+ "postDeployment": [
+ "After deployment, open the playbook to configure all connections and press save."
+ ],
+ "prerequisitesDeployTemplateFile": "../RecordedFuture-ThreatIntelligenceImport/azuredeploy.json",
+ "lastUpdateTime": "2023-09-13T00:00:00.000Z",
+ "entities": [],
+ "tags": [ "Alert" ],
+ "support": {
+ "tier": "Partner",
+ "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator"
+ },
+ "author": {
+ "name": "Recorded Future"
+ },
+ "releaseNotes": [
+ {
+ "version": "1.0",
+ "title": "RecordedFuture-Alert-Importer",
+ "notes": [ "Initial version" ]
+ }
+ ]
+ },
+ "parameters": {
+ "PlaybookName": {
+ "defaultValue": "RecordedFuture-AlertImporter",
+ "type": "string"
+ },
+ "create_incident": {
+ "type": "string",
+ "metadata": {
+ "description": "Create Microsoft Sentinel incidents (possible values true/false)"
+ }
+ },
+ "workspace_name": {
+ "type": "string",
+ "defaultValue": "",
+ "metadata": {
+ "description" : "Microsoft Sentinel Workspace name"
+ }
+ }
+ },
+ "variables": {
+ "AzureloganalyticsdatacollectorConnectionName": "[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]",
+ "AzuremonitorlogsConnectionName": "[concat('Azuremonitorlogs-', parameters('PlaybookName'))]",
+ "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]",
+ "Recordedfuturev2ConnectionName": "[concat('Recordedfuturev2-', parameters('PlaybookName'))]"
+ },
+ "resources": [
+ {
+ "properties": {
+ "provisioningState": "Succeeded",
+ "state": "Enabled",
+ "definition": {
+ "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#",
+ "contentVersion": "1.0.0.0",
+ "parameters": {
+ "$connections": {
+ "defaultValue": {},
+ "type": "Object"
+ },
+ "create_incident": {
+ "type": "string",
+ "defaultValue": "[parameters('create_incident')]"
+ }
+ },
+ "triggers": {
+ "Recurrence": {
+ "recurrence": {
+ "frequency": "Hour",
+ "interval": 1
+ },
+ "evaluatedRecurrence": {
+ "frequency": "Hour",
+ "interval": 1
+ },
+ "type": "Recurrence"
+ }
+ },
+ "actions": {
+ "For_each_triggered_alert": {
+ "foreach": "@body('Search_Triggered_Alerts')?['data']",
+ "actions": {
+ "Create_incident_if_parameter_is_set": {
+ "actions": {
+ "Add_comment_to_incident_(V3)": {
+ "runAfter": {
+ "Parse_JSON_2": [
+ "Succeeded"
+ ]
+ },
+ "type": "ApiConnection",
+ "inputs": {
+ "body": {
+ "incidentArmId": "@body('Create_incident')?['id']",
+ "message": "@{items('For_each_triggered_alert')?['title']}
\nAlert ID: @{items('For_each_triggered_alert')?['id']}
\nTriggered: @{items('For_each_triggered_alert')?['log']?['triggered']}
\n[Open Recorded Future portal](@{items('For_each_triggered_alert')?['url']?['portal']})
\nAI Summary: @{items('For_each_triggered_alert')?['ai_insights']?['text']}
.",
+ "description": "This playbook leverages the Recorded Future API to enrich IP, Domain, Url & Hash indicators, found in Microsoft Sentinel incidents, with the following context: Risk Score, Risk Rules and Link to Intelligence Card. The enrichment content will be posted as a comment in the Microsoft Sentinel incident .",
"prerequisites": [
"To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials"
],
@@ -26,31 +26,36 @@
"name": "Recorded Future"
},
"releaseNotes": [
+ {
+ "version": "1.0",
+ "title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
+ "notes": [ "Initial version" ]
+ },
{
- "version": "2.3.1",
+ "version": "1.1",
"title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
- "notes": [ "Handle 404 result from enrichment." ]
+ "notes": [ "Improved layout and added Recorded Future Collective Insights." ]
},
{
- "version": "2.3.0",
+ "version": "1.2",
"title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
- "notes": [ "Added detections, updated readme and improved layout." ]
+ "notes": [ "Fixed risk rule severity and correct image url." ]
},
{
- "version": "1.1.1",
+ "version": "2.3",
"title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
- "notes": [ "Fixed riskrule severity and correct image url." ]
+ "notes": [ "Updated readme and improved layout." ]
},
{
- "version": "1.1.0",
+ "version": "2.4",
"title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
- "notes": [ "Improved layout and added consent for intelligence Recorded Future cloud sharing." ]
+ "notes": [ "Handle 404 result from enrichment." ]
},
{
- "version": "1.0.0",
+ "version": "2.5",
"title": "RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash",
- "notes": [ "Initial version" ]
- }
+ "notes": [ "Backend rendered markdown/html to increse performance and reduce cost of enrichment." ]
+ }
]
},
"parameters": {
@@ -69,6 +74,9 @@
"apiVersion": "2019-05-01",
"name": "[parameters('PlaybookName')]",
"location": "[resourceGroup().location]",
+ "tags": {
+ "hidden-SentinelTemplateVersion": "2.5"
+ },
"dependsOn": [
"[resourceId('Microsoft.Web/connections', variables('AzureSentinelConnectionName'))]",
"[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]"
@@ -111,7 +119,7 @@
"inputs": {
"body": {
"incidentArmId": "@triggerBody()?['object']?['id']",
- "message": "
\nEnrichmed Domain: @{body('Parse_JSON_-_DNS_Resolution')?['domainName']}
\nRisk Score: @{body('Domain_Enrichment')?['data']?['risk']?['score']} of 99
\n@{concat('Open IOC Intelligence Card (Portal)
')}
\nInfrastructure Detections: @{body('Domain_Observed_ioc_HTML_table')}
\nRisk Rules: @{body('Domain_Evidence_Details_HTML_table')}
\nTechnical Links: @{body('Domain_Technical_Links_HTML_table')}
\nResearch Links: @{body('Domain_Research_Links_HTML_table')}" + "message": "
@{body('Domain_Enrichment')?['data']?['html_response']}
" }, "host": { "connection": { @@ -122,7 +130,7 @@ "path": "/Incidents/Comment" }, "runAfter": { - "Domain_Observed_ioc_HTML_table": [ + "Domain_Enrichment": [ "Succeeded" ] }, @@ -144,7 +152,7 @@ }, "runAfter": { "Add_comment_to_incident_(V3)_-_Domain": [ - "SKIPPED" + "Skipped" ] }, "type": "ApiConnection" @@ -163,7 +171,8 @@ "RFIncidentId": "@variables('RFIncidentId')", "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", - "fields": "intelCard,risk,links" + "fields": "intelCard,risk,links", + "htmlresponse": "True" } }, "runAfter": { @@ -173,118 +182,6 @@ }, "type": "ApiConnection" }, - "Domain_Evidence_Details_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Risk_Rules", - "value": "@item()?['rule']" - }, - { - "header": "Severity", - "value": "@item()?['criticalityLabel']" - }, - { - "header": "Evidence_Details", - "value": "@item()?['evidenceString']" - } - ], - "format": "HTML", - "from": "@body('Domain_Enrichment')?['data']?['risk']?['evidenceDetails']" - }, - "runAfter": { - "Domain_Enrichment": [ - "Succeeded" - ] - }, - "type": "Table" - }, - "Domain_Research_Links_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Entity", - "value": "@replace(item()?['name'],'.','[.]')" - }, - { - "header": "Entity_Type", - "value": "@item()?['type']" - }, - { - "header": "Category", - "value": "@item()?['category']" - }, - { - "header": "Risk_Score", - "value": "@item()?['score']" - } - ], - "format": "HTML", - "from": "@if(empty(body('Domain_Enrichment')?['data']?['links']?['research']),variables('EmptyArray'),body('Domain_Enrichment')?['data']?['links']?['research']?['entities'])" - }, - "runAfter": { - "Domain_Technical_Links_HTML_table": [ - "Succeeded" - ] - }, - "type": "Table" - }, - "Domain_Technical_Links_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Entity", - "value": "@replace(item()?['name'],'.','[.]')" - }, - { - "header": "Entity_Type", - "value": "@item()?['type']" - }, - { - "header": "Category", - "value": "@item()?['category']" - }, - { - "header": "Risk_Score", - "value": "@item()?['score']" - } - ], - "format": "HTML", - "from": "@if(empty(body('Domain_Enrichment')?['data']?['links']?['technical']),variables('EmptyArray'),body('Domain_Enrichment')?['data']?['links']?['technical']?['entities'])" - }, - "runAfter": { - "Domain_Evidence_Details_HTML_table": [ - "Succeeded" - ] - }, - "type": "Table" - }, - "Domain_Observed_ioc_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Timestamp", - "value": "@item()?['timestamp']" - }, - { - "header": "Integration_Type", - "value": "@item()?['integration_type']" - }, - { - "header": "Instance_Id", - "value": "@item()?['integration_instance_id']" - } - ], - "format": "HTML", - "from": "@if(empty(body('Domain_Enrichment')?['observed_iocs_history']),variables('EmptyArray'),body('Domain_Enrichment')?['observed_iocs_history'])" - }, - "runAfter": { - "DOMAIN_Research_Links_HTML_table": [ - "Succeeded" - ] - }, - "type": "Table" - }, "Parse_JSON_-_DNS_Resolution": { "inputs": { "content": "@body('Parse_JSON_2')?['properties']", @@ -312,7 +209,7 @@ "inputs": { "body": { "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "
\nEnriched Hash: @{body('Parse_JSON_-_File_Hash')?['hashValue']}
\nRisk Score: @{body('Hash_Enrichment')?['data']?['risk']?['score']} of 99
\n@{concat('Open Intelligence Card (Portal)
')}
\nInfrastructure Detections: @{body('Hash_Observed_ioc_HTML_table')}
\nRisk Rules: @{body('Hash_Evidence_Details_HTML_table')}
\nTechnical Links: @{body('Hash_Technical_Links_HTML_table')}
\nResearch Links: @{body('Hash_Research_Links_HTML_table')}" + "message": "
@{body('Hash_Enrichment')?['data']?['html_response']}
" }, "host": { "connection": { @@ -323,7 +220,7 @@ "path": "/Incidents/Comment" }, "runAfter": { - "Hash_Observed_ioc_HTML_table": [ + "Hash_Enrichment": [ "Succeeded" ] }, @@ -345,7 +242,7 @@ }, "runAfter": { "Add_comment_to_incident_(V3)_-_Hash": [ - "SKIPPED" + "Skipped" ] }, "type": "ApiConnection" @@ -364,7 +261,8 @@ "RFIncidentId": "@variables('RFIncidentId')", "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", - "fields": "intelCard,risk,links" + "fields": "intelCard,risk,links", + "htmlresponse": "True" } }, "runAfter": { @@ -374,118 +272,6 @@ }, "type": "ApiConnection" }, - "Hash_Evidence_Details_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Risk_Rules", - "value": "@item()?['rule']" - }, - { - "header": "Severity", - "value": "@item()?['criticalityLabel']" - }, - { - "header": "Evidence_Details", - "value": "@item()?['evidenceString']" - } - ], - "format": "HTML", - "from": "@body('Hash_Enrichment')?['data']?['risk']?['evidenceDetails']" - }, - "runAfter": { - "Hash_Enrichment": [ - "Succeeded" - ] - }, - "type": "Table" - }, - "Hash_Research_Links_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Entity", - "value": "@replace(item()?['name'],'.','[.]')" - }, - { - "header": "Entity_Type", - "value": "@item()?['type']" - }, - { - "header": "Category", - "value": "@item()?['category']" - }, - { - "header": "Risk_Score", - "value": "@item()?['score']" - } - ], - "format": "HTML", - "from": "@if(empty(body('Hash_Enrichment')?['data']?['links']?['research']),variables('EmptyArray'),body('Hash_Enrichment')?['data']?['links']?['research']?['entities'])" - }, - "runAfter": { - "Hash_Evidence_Details_HTML_table": [ - "Succeeded" - ] - }, - "type": "Table" - }, - "Hash_Technical_Links_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Entity", - "value": "@replace(item()?['name'],'.','[.]')" - }, - { - "header": "Entity_Type", - "value": "@item()?['type']" - }, - { - "header": "Category", - "value": "@item()?['category']" - }, - { - "header": "Risk_Score", - "value": "@item()?['score']" - } - ], - "format": "HTML", - "from": "@if(empty(body('Hash_Enrichment')?['data']?['links']?['technical']),variables('EmptyArray'),body('Hash_Enrichment')?['data']?['links']?['technical']?['entities'])" - }, - "runAfter": { - "Hash_Research_Links_HTML_table": [ - "Succeeded" - ] - }, - "type": "Table" - }, - "Hash_Observed_ioc_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Timestamp", - "value": "@item()?['timestamp']" - }, - { - "header": "Integration_Type", - "value": "@item()?['integration_type']" - }, - { - "header": "Instance_Id", - "value": "@item()?['integration_instance_id']" - } - ], - "format": "HTML", - "from": "@if(empty(body('Hash_Enrichment')?['observed_iocs_history']),variables('EmptyArray'),body('Hash_Enrichment')?['observed_iocs_history'])" - }, - "runAfter": { - "Hash_Technical_Links_HTML_table": [ - "Succeeded" - ] - }, - "type": "Table" - }, "Parse_JSON_-_File_Hash": { "inputs": { "content": "@body('Parse_JSON_2')?['properties']", @@ -516,7 +302,7 @@ "inputs": { "body": { "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "
\nEnriched URL: @{replace(body('Parse_JSON_-_Url')?['url'], '.', '[.]')}
\nRisk Score: @{body('URL_Enrichment')?['data']?['risk']?['score']} of 99@{concat('
')}
\nInfrastructure Detections: @{body('Url_Observed_ioc_HTML_table')}
\nRisk Rules: @{body('URL_Evidence_Details_HTML_table')}
\nTechnical Links: @{body('URL_Technical_Links_HTML_table')}
\nResearch Links: @{body('URL_Research_Links_HTML_table')}" + "message": "
@{body('URL_Enrichment')?['data']?['html_response']}
" }, "host": { "connection": { @@ -527,7 +313,7 @@ "path": "/Incidents/Comment" }, "runAfter": { - "Url_Observed_ioc_HTML_table": [ + "URL_Enrichment": [ "Succeeded" ] }, @@ -549,7 +335,7 @@ }, "runAfter": { "Add_comment_to_incident_(V3)_-_URL": [ - "SKIPPED" + "Skipped" ] }, "type": "ApiConnection" @@ -586,7 +372,8 @@ "RFIncidentId": "@variables('RFIncidentId')", "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", - "fields": "intelCard,risk,links" + "fields": "intelCard,risk,links", + "htmlresponse": "True" } }, "runAfter": { @@ -595,118 +382,6 @@ ] }, "type": "ApiConnection" - }, - "URL_Evidence_Details_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Risk_Rules", - "value": "@item()?['rule']" - }, - { - "header": "Severity", - "value": "@item()?['criticalityLabel']" - }, - { - "header": "Evidence_Details", - "value": "@item()?['evidenceString']" - } - ], - "format": "HTML", - "from": "@body('URL_Enrichment')?['data']?['risk']?['evidenceDetails']" - }, - "runAfter": { - "URL_Enrichment": [ - "Succeeded" - ] - }, - "type": "Table" - }, - "URL_Research_Links_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Entity", - "value": "@replace(item()?['name'],'.','[.]')" - }, - { - "header": "Entity_Type", - "value": "@item()?['type']" - }, - { - "header": "Category", - "value": "@item()?['category']" - }, - { - "header": "Risk_Score", - "value": "@item()?['score']" - } - ], - "format": "HTML", - "from": "@if(empty(body('URL_Enrichment')?['data']?['links']?['research']),variables('EmptyArray'),body('URL_Enrichment')?['data']?['links']?['research']?['entities'])" - }, - "runAfter": { - "URL_Technical_Links_HTML_table": [ - "Succeeded" - ] - }, - "type": "Table" - }, - "URL_Technical_Links_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Entity", - "value": "@replace(item()?['name'],'.','[.]')" - }, - { - "header": "Entity_Type", - "value": "@item()?['type']" - }, - { - "header": "Category", - "value": "@item()?['category']" - }, - { - "header": "Risk_Score", - "value": "@item()?['score']" - } - ], - "format": "HTML", - "from": "@if(empty(body('URL_Enrichment')?['data']?['links']?['technical']),variables('EmptyArray'),body('URL_Enrichment')?['data']?['links']?['technical']?['entities'])" - }, - "runAfter": { - "URL_Evidence_Details_HTML_table": [ - "Succeeded" - ] - }, - "type": "Table" - }, - "Url_Observed_ioc_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Timestamp", - "value": "@item()?['timestamp']" - }, - { - "header": "Integration_Type", - "value": "@item()?['integration_type']" - }, - { - "header": "Instance_Id", - "value": "@item()?['integration_instance_id']" - } - ], - "format": "HTML", - "from": "@if(empty(body('URL_Enrichment')?['observed_iocs_history']),variables('EmptyArray'),body('URL_Enrichment')?['observed_iocs_history'])" - }, - "runAfter": { - "URL_Research_Links_HTML_table": [ - "Succeeded" - ] - }, - "type": "Table" } }, "case": "Url" @@ -738,7 +413,7 @@ "inputs": { "body": { "incidentArmId": "@triggerBody()?['object']?['id']", - "message": "
\nEnriched IP: @{body('Parse_JSON_-_Ip')?['address']}
\nRisk Score: @{body('IP_Enrichment')?['data']?['risk']?['score']} of 99
\n@{concat('Open Intelligence Card (Portal)
')}
\nInfrastructure Detections: @{body('IP_Observed_ioc_HTML_table')}
\nRisk Rules: @{body('IP_Evidence_Details_HTML_table')}
\nTechnical Links: @{body('IP_Technical_Links_HTML_table')}
\nResearch Links: @{body('IP_Research_Links_HTML_table')}" + "message": "
@{body('IP_Enrichment')?['data']?['html_response']}
" }, "host": { "connection": { @@ -749,7 +424,7 @@ "path": "/Incidents/Comment" }, "runAfter": { - "IP_Observed_ioc_HTML_table": [ + "IP_Enrichment": [ "Succeeded" ] }, @@ -769,7 +444,8 @@ "RFIncidentId": "@variables('RFIncidentId')", "Techniques": "@string(triggerBody()?['object']?['properties']?['additionalData']?['techniques'])", "WorkspaceId": "@triggerBody()?['workspaceInfo']?['WorkspaceName']", - "fields": "intelCard,risk,links" + "fields": "intelCard,risk,links", + "htmlresponse": "True" } }, "runAfter": { @@ -779,118 +455,6 @@ }, "type": "ApiConnection" }, - "IP_Evidence_Details_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Risk_Rules", - "value": "@item()?['rule']" - }, - { - "header": "Severity", - "value": "@item()?['criticalityLabel']" - }, - { - "header": "Evidence_Details", - "value": "@item()?['evidenceString']" - } - ], - "format": "HTML", - "from": "@body('IP_Enrichment')?['data']?['risk']?['evidenceDetails']" - }, - "runAfter": { - "IP_Enrichment": [ - "Succeeded" - ] - }, - "type": "Table" - }, - "IP_Research_Links_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Entity", - "value": "@replace(item()?['name'],'.','[.]')" - }, - { - "header": "Entity_Type", - "value": "@item()?['type']" - }, - { - "header": "Category", - "value": "@item()?['category']" - }, - { - "header": "Risk_Score", - "value": "@item()?['score']" - } - ], - "format": "HTML", - "from": "@if(empty(body('IP_Enrichment')?['data']?['links']?['research']),variables('EmptyArray'),body('IP_Enrichment')?['data']?['links']?['research']?['entities'])" - }, - "runAfter": { - "IP_Technical_Links_HTML_table": [ - "Succeeded" - ] - }, - "type": "Table" - }, - "IP_Technical_Links_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Entity", - "value": "@replace(item()?['name'],'.','[.]')" - }, - { - "header": "Entity_Type", - "value": "@item()?['type']" - }, - { - "header": "Category", - "value": "@item()?['category']" - }, - { - "header": "Risk_Score", - "value": "@item()?['score']" - } - ], - "format": "HTML", - "from": "@if(empty(body('IP_Enrichment')?['data']?['links']?['technical']),variables('EmptyArray'),body('IP_Enrichment')?['data']?['links']?['technical']?['entities'])" - }, - "runAfter": { - "IP_Evidence_Details_HTML_table": [ - "Succeeded" - ] - }, - "type": "Table" - }, - "IP_Observed_ioc_HTML_table": { - "inputs": { - "columns": [ - { - "header": "Timestamp", - "value": "@item()?['timestamp']" - }, - { - "header": "Integration_Type", - "value": "@item()?['integration_type']" - }, - { - "header": "Instance_Id", - "value": "@item()?['integration_instance_id']" - } - ], - "format": "HTML", - "from": "@if(empty(body('IP_Enrichment')?['observed_iocs_history']),variables('EmptyArray'),body('IP_Enrichment')?['observed_iocs_history'])" - }, - "runAfter": { - "IP_Research_Links_HTML_table": [ - "Succeeded" - ] - }, - "type": "Table" - }, "Parse_JSON_-_Ip": { "inputs": { "content": "@body('Parse_JSON_2')?['properties']", @@ -930,18 +494,6 @@ }, "type": "Foreach" }, - "Initialize_variable": { - "inputs": { - "variables": [ - { - "name": "EmptyArray", - "type": "array" - } - ] - }, - "runAfter": {}, - "type": "InitializeVariable" - }, "RFIncidentId": { "inputs": { "variables": [ @@ -952,11 +504,7 @@ } ] }, - "runAfter": { - "Initialize_variable": [ - "Succeeded" - ] - }, + "runAfter": {}, "type": "InitializeVariable" } }, diff --git a/Solutions/Recorded Future/Playbooks/RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor/azuredeploy.json b/Solutions/Recorded Future/Playbooks/RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor/azuredeploy.json index a14bbca2c6c..857a4cb33bc 100644 --- a/Solutions/Recorded Future/Playbooks/RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor/azuredeploy.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "metadata": { "title": "RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor", - "description": "This playbook leverages the Recorded Future API and automatically imports the Actively Communicating C&C Server IP RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.", + "description": "**[Deprecated]**\nDeprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution.\n\nThis playbook leverages the Recorded Future API and automatically imports the Actively Communicating C&C Server IP RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.", "prerequisites": [ "First install the RecordedFuture-ImportToSentinel playbook.", "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials" @@ -11,10 +11,9 @@ "postDeployment": [ "After deployment you have to open the playbook to configure all connections and press save." ], - "prerequisitesDeployTemplateFile": "../RecordedFuture-ImportToSentinel/RecordedFuture-ImportToSentinel.json", - "lastUpdateTime": "2022-08-01T00:00:00.000Z", + "lastUpdateTime": "2023-08-09T00:00:00.000Z", "entities": [], - "tags": [ "Threat Intelligence" ], + "tags": ["Deprecated","Threat Intelligence"], "support": { "tier": "Partner" }, @@ -23,7 +22,15 @@ }, "releaseNotes": [ { - "version": "1.0.0", + "version": "1.1", + "title": "Deprecated", + "notes": [ + "Deprecated in favor for the new IndicatorImport playbooks. More information can be found in the readme on Github https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded%20Future/Playbooks/readme.md", + "Once a new IndicatorImport playbook is installed downloading the same risk list. Deactivate or delete this playbook." + ] + }, + { + "version": "1.0", "title": "RecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor", "notes": [ "Initial version" ] } @@ -48,6 +55,10 @@ "apiVersion": "2019-05-01", "name": "[parameters('PlaybookName')]", "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor", + "hidden-SentinelTemplateVersion": "1.1" + }, "dependsOn": [ "[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]" ], diff --git a/Solutions/Recorded Future/Playbooks/RecordedFuture-IP-IndicatorImport/azuredeploy.json b/Solutions/Recorded Future/Playbooks/RecordedFuture-IP-IndicatorImport/azuredeploy.json new file mode 100644 index 00000000000..f31616ef599 --- /dev/null +++ b/Solutions/Recorded Future/Playbooks/RecordedFuture-IP-IndicatorImport/azuredeploy.json @@ -0,0 +1,239 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "RecordedFuture-IP-IndicatorImport", + "description": "This playbook imports IP risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", + "prerequisites": [ + "First install the RecordedFuture-ThreatIntelligenceImport playbook.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "prerequisitesDeployTemplateFile": "../RecordedFuture-ThreatIntelligenceImport/azuredeploy.json", + "lastUpdateTime": "2023-07-06T00:00:00.000Z", + "entities": [], + "tags": [ "Threat Intelligence" ], + "support": { + "tier": "Partner", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Recorded Future" + }, + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-IP-IndicatorImport", + "notes": [ "Initial version" ] + } + ] + }, + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-IP-IndicatorImport", + "type": "string" + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String" + } + }, + "variables": { + "RecordedfutureConnectionName": "[concat('Recordedfuture-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", + "actions": { + "Parse_JSON": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "Criticality" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "riskString": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "RecordedFuture-ThreatIntelligenceImport": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": { + "confidence": "@int(body('Parse_JSON')?['Risk'])", + "created": "@{utcNow()}", + "description": "Recorded Future - IP - Actively Communicating C&C Server", + "id": "indicator--@{guid()}", + "indicator_types": [ + "malicious-activity" + ], + "labels": [ + "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" + ], + "modified": "@{utcNow()}", + "name": "@{body('Parse_JSON')?['Name']}", + "pattern": "[[ipv4-addr:value = '@{body('Parse_JSON')?['Name']}']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "@{utcNow()}", + "valid_until": "@{addHours(utcNow(),1)}" + }, + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Recorded_Future_RiskLists_and_SCF_Download": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/MicrosoftAzure/ip_active_c2.json" + } + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "recordedfuture": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionName": "[variables('RecordedfutureConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Recordedfuturev2')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-IP-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('RecordedfutureConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('RecordedfutureConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Recordedfuturev2')]" + } + } + } + ] +} diff --git a/Solutions/Recorded Future/Playbooks/RecordedFuture-ImportToSentinel/azuredeploy.json b/Solutions/Recorded Future/Playbooks/RecordedFuture-ImportToSentinel/azuredeploy.json index b193c02a19f..f1a2c105a6b 100644 --- a/Solutions/Recorded Future/Playbooks/RecordedFuture-ImportToSentinel/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/RecordedFuture-ImportToSentinel/azuredeploy.json @@ -1,50 +1,62 @@ { - "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", - "contentVersion": "1.0.0.0", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", "metadata": { "title": "RecordedFuture-ImportToSentinel", - "description": "This playbook is purposed to listen (via batching mechanism provided by Microsoft Azure) for incoming messages from the IndicatorProcessor Playbooks and create submit the indicators for creation", + "description": "**[Deprecated]**\nDeprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution.\n\nThis playbook is purposed to listen (via batching mechanism provided by Microsoft Azure) for incoming messages from the IndicatorProcessor Playbooks and create submit the indicators for creation", "postDeployment": [ "After deployment you have to open the playbook to configure all connections and press save." ], "prerequisites": [ "None" ], - "lastUpdateTime": "2022-08-01T00:00:00.000Z", + "lastUpdateTime": "2023-08-09T00:00:00.000Z", "entities": [], - "tags": ["Threat Intelligence"], + "tags": [ "Deprecated", "Threat Intelligence" ], "support": { "tier": "Partner" }, "author": { - "name": "Adrian Porcescu, Recorded Future" + "name": "Recorded Future" }, "releaseNotes": [ { - "version": "1.0.0", + "version": "1.1", + "title": "Deprecated", + "notes": [ + "Deprecated in favor for the new IndicatorImport playbooks. More information can be found in the readme on Github https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded%20Future/Playbooks/readme.md", + "Once a new IndicatorImport playbook is installed downloading the same risk list. Deactivate or delete this playbook." + ] + }, + { + "version": "1.0", "title": "RecordedFuture-ImportToSentinel", "notes": [ "Initial version" ] } ] }, - "parameters": { - "PlaybookName": { - "type": "string", - "defaultValue": "RecordedFuture-ImportToSentinel" - } - }, - "variables": { - "GraphSecurityConnectionName": "[concat('microsoftgraphsecurity-', parameters('PlaybookName'))]" - }, - "resources": [ - { - "type": "Microsoft.Logic/workflows", - "apiVersion": "2019-05-01", - "name": "[parameters('PlaybookName')]", - "location": "[resourceGroup().location]", - "dependsOn": [ - "[resourceId('Microsoft.Web/connections', variables('GraphSecurityConnectionName'))]" - ], - "properties": { - "definition": { + "parameters": { + "PlaybookName": { + "type": "string", + "defaultValue": "RecordedFuture-ImportToSentinel" + } + }, + "variables": { + "GraphSecurityConnectionName": "[concat('microsoftgraphsecurity-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2019-05-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-ImportToSentinel", + "hidden-SentinelTemplateVersion": "1.1" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('GraphSecurityConnectionName'))]" + ], + "properties": { + "definition": { "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", "actions": { "Select": { @@ -104,30 +116,30 @@ } } }, - "parameters": { - "$connections": { - "value": { - "microsoftgraphsecurity": { - "id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/microsoftgraphsecurity')]", - "connectionId": "[resourceId('Microsoft.Web/connections', variables('GraphSecurityConnectionName'))]", - "connectionName": "[variables('GraphSecurityConnectionName')]" - } - } - } - } - } - }, - { - "type": "Microsoft.Web/connections", - "apiVersion": "2016-06-01", - "location": "[resourceGroup().location]", - "name": "[variables('GraphSecurityConnectionName')]", - "properties": { - "api": { - "id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/microsoftgraphsecurity')]" - } - } - } - ], - "outputs": {} + "parameters": { + "$connections": { + "value": { + "microsoftgraphsecurity": { + "id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/microsoftgraphsecurity')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('GraphSecurityConnectionName'))]", + "connectionName": "[variables('GraphSecurityConnectionName')]" + } + } + } + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "location": "[resourceGroup().location]", + "name": "[variables('GraphSecurityConnectionName')]", + "properties": { + "api": { + "id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/microsoftgraphsecurity')]" + } + } + } + ], + "outputs": {} } diff --git a/Solutions/Recorded Future/Playbooks/RecordedFuture-Playbook-Alert-Importer/azuredeploy.json b/Solutions/Recorded Future/Playbooks/RecordedFuture-Playbook-Alert-Importer/azuredeploy.json new file mode 100644 index 00000000000..92647d7a218 --- /dev/null +++ b/Solutions/Recorded Future/Playbooks/RecordedFuture-Playbook-Alert-Importer/azuredeploy.json @@ -0,0 +1,198 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "RecordedFuture-Playbook-Alert-Importer", + "description": "This playbook imports alerts from Recorded Future and stores them in a custom log in the log analytics workspace.", + "prerequisites": [ + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "prerequisitesDeployTemplateFile": "", + "lastUpdateTime": "2023-07-06T00:00:00.000Z", + "entities": [], + "tags": [ "Alert" ], + "support": { + "tier": "Partner", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Recorded Future" + }, + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-Playbook-Alert-Importer", + "notes": [ "Initial version" ] + } + ] + }, + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-Playbook-Alert-Importer", + "type": "string" + } + }, + "variables": { + "AzureloganalyticsdatacollectorConnectionName": "[concat('Azureloganalyticsdatacollector-', parameters('PlaybookName'))]", + "RecordedFutureConnectionName": "recordedfuture-connectorv2" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 1 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 1 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Search_Playbook_Alerts')", + "actions": { + "Get_Playbook_Alert_by_ID": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" + } + }, + "method": "get", + "path": "/playbook-alert/@{encodeURIComponent(items('For_each')?['playbook_alert_id'])}" + } + }, + "Send_Data": { + "runAfter": { + "Get_Playbook_Alert_by_ID": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "{\n\"title\": \"@{body('Get_Playbook_Alert_by_ID')?['title']}\",\n\"id\": \"@{body('Get_Playbook_Alert_by_ID')?['id']}\",\n\"category\":\"@{body('Get_Playbook_Alert_by_ID')?['category']}\",\n\"rule_label\":\"@{body('Get_Playbook_Alert_by_ID')?['rule_label']}\",\n\"status\": \"@{body('Get_Playbook_Alert_by_ID')?['status']}\", \n\"priority\": \"@{body('Get_Playbook_Alert_by_ID')?['priority']}\",\n\"created_date\": \"@{body('Get_Playbook_Alert_by_ID')?['created_date']}\",\n\"updated_date\": \"@{body('Get_Playbook_Alert_by_ID')?['updated_date']}\",\n\"targets\":\"@{body('Get_Playbook_Alert_by_ID')?['targets']}\",\n\"evidence_summary\": \"@{body('Get_Playbook_Alert_by_ID')?['evidence_summary']}\",\n\"link\": \"@{body('Get_Playbook_Alert_by_ID')?['link']}\"\n}", + "headers": { + "Log-Type": "RecordedFuturePlaybookAlerts" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azureloganalyticsdatacollector']['connectionId']" + } + }, + "method": "post", + "path": "/api/logs" + } + } + }, + "runAfter": { + "Search_Playbook_Alerts": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Search_Playbook_Alerts": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "body": { + "categories": [ + "domain_abuse", + "cyber_vulnerability", + "code_repo_leakage" + ], + "created_from_relative": "-1" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuturev2']['connectionId']" + } + }, + "method": "post", + "path": "/playbook-alert/search" + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azureloganalyticsdatacollector": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "connectionName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + }, + "recordedfuturev2": { + "id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/recordedfuturev2')]", + "connectionId": "[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]", + "connectionName": "[variables('RecordedFutureConnectionName')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "PlaybookAlert-Import", + "hidden-SentinelTemplateVersion": "1.0" + }, + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('AzureloganalyticsdatacollectorConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('AzureloganalyticsdatacollectorConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azureloganalyticsdatacollector')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('RecordedFutureConnectionName')]", + "location": "[resourceGroup().location]", + "properties": { + "api": { + "id": "[concat('/subscriptions/',subscription().subscriptionId,'/providers/Microsoft.Web/locations/',resourceGroup().location,'/managedApis/recordedfuturev2')]" + } + } + } + ] +} diff --git a/Solutions/Recorded Future/Playbooks/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json b/Solutions/Recorded Future/Playbooks/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json index 1262135f5ec..6b274d23f2d 100644 --- a/Solutions/Recorded Future/Playbooks/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/RecordedFuture-Sandbox_Enrichment-Url/azuredeploy.json @@ -20,7 +20,14 @@ }, "author": { "name": "Recorded Future" - } + }, + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-Sandbox_Enrichment-Url", + "notes": [ "Initial version" ] + } + ] }, "parameters": { "PlaybookName": { diff --git a/Solutions/Recorded Future/Playbooks/RecordedFuture-Sandbox_Outlook_Attachment/azuredeploy.json b/Solutions/Recorded Future/Playbooks/RecordedFuture-Sandbox_Outlook_Attachment/azuredeploy.json index 09285212031..63305a9f3c1 100644 --- a/Solutions/Recorded Future/Playbooks/RecordedFuture-Sandbox_Outlook_Attachment/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/RecordedFuture-Sandbox_Outlook_Attachment/azuredeploy.json @@ -10,9 +10,7 @@ ], "prerequisitesDeployTemplateFile": "", "lastUpdateTime": "2023-04-28T00:00:00.000Z", - "entities": [ - "url" - ], + "entities": [], "tags": [ "Enrichment" ], "support": { "tier": "Partner", @@ -20,7 +18,14 @@ }, "author": { "name": "Recorded Future" - } + }, + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-Sandbox_Outlook_Attachment", + "notes": [ "Initial version" ] + } + ] }, "parameters": { "PlaybookName": { diff --git a/Solutions/Recorded Future/Playbooks/RecordedFuture-Sandbox_StorageAccount/azuredeploy.json b/Solutions/Recorded Future/Playbooks/RecordedFuture-Sandbox_StorageAccount/azuredeploy.json index a9bb7661606..96cb9de9873 100644 --- a/Solutions/Recorded Future/Playbooks/RecordedFuture-Sandbox_StorageAccount/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/RecordedFuture-Sandbox_StorageAccount/azuredeploy.json @@ -10,9 +10,7 @@ ], "prerequisitesDeployTemplateFile": "", "lastUpdateTime": "2023-04-28T00:00:00.000Z", - "entities": [ - "url" - ], + "entities": [], "tags": [ "Enrichment" ], "support": { "tier": "Partner", @@ -20,11 +18,18 @@ }, "author": { "name": "Recorded Future" - } + }, + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-Sandbox_StorageAccount", + "notes": [ "Initial version" ] + } + ] }, "parameters": { "PlaybookName": { - "defaultValue": "TestAppFileSandbox", + "defaultValue": "RecordedFuture-Sandbox_StorageAccount", "type": "string" }, "sandbox_api_key": { diff --git a/Solutions/Recorded Future/Playbooks/RecordedFuture-ThreatIntelligenceImport/azuredeploy.json b/Solutions/Recorded Future/Playbooks/RecordedFuture-ThreatIntelligenceImport/azuredeploy.json new file mode 100644 index 00000000000..ec0182d8cc4 --- /dev/null +++ b/Solutions/Recorded Future/Playbooks/RecordedFuture-ThreatIntelligenceImport/azuredeploy.json @@ -0,0 +1,169 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "RecordedFuture-ThreatIntelligenceImport", + "description": "This playbook will write indicators in batch to ThreatIntelligenceIndicator log analytics table.", + "prerequisites": [ + "Microsoft Sentinel Threat Intelligence active" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "lastUpdateTime": "2023-07-06T00:00:00.000Z", + "entities": [], + "tags": [ "Threat Intelligence" ], + "support": { + "tier": "Partner", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Recorded Future" + }, + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-ThreatIntelligenceImport", + "notes": [ "Initial version" ] + } + ] + }, + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "string" + }, + "workspace": { + "type": "string", + "defaultValue": "", + "metadata": { + "description" : "Microsoft Sentinel Workspace name" + } + } + }, + "variables": { + "MicrosoftSentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Batch_messages": { + "type": "Batch", + "inputs": { + "configurations": { + "RFImportToSentinel": { + "releaseCriteria": { + "messageCount": 100, + "recurrence": { + "frequency": "Minute", + "interval": 10 + } + } + } + }, + "mode": "Inline" + } + } + }, + "actions": { + "Compose": { + "runAfter": { + "Select": [ + "Succeeded" + ] + }, + "type": "Compose", + "inputs": { + "sourcesystem": "Recorded Future", + "value": "@body('Select')" + } + }, + "Select": { + "runAfter": {}, + "type": "Select", + "inputs": { + "from": "@triggerBody()['items']", + "select": "@item()['content']" + } + }, + "Threat_Intelligence_-_Upload_Indicators_of_Compromise_(Private_Preview)": { + "runAfter": { + "Compose": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": "@outputs('Compose')", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "[concat('/ThreatIntelligence/', reference(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace'))).customerId,'/UploadIndicators')]" + } + } + } + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]", + "connectionName": "[variables('MicrosoftSentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-ThreatIntelligenceImport", + "hidden-SentinelTemplateVersion": "1.0" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('MicrosoftSentinelConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('MicrosoftSentinelConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('MicrosoftSentinelConnectionName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Azuresentinel')]" + } + } + } + ] +} diff --git a/Solutions/Recorded Future/Playbooks/RecordedFuture-URL-IndicatorImport/azuredeploy.json b/Solutions/Recorded Future/Playbooks/RecordedFuture-URL-IndicatorImport/azuredeploy.json new file mode 100644 index 00000000000..920011141b8 --- /dev/null +++ b/Solutions/Recorded Future/Playbooks/RecordedFuture-URL-IndicatorImport/azuredeploy.json @@ -0,0 +1,239 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "RecordedFuture-URL-IndicatorImport", + "description": "This playbook imports URL risk lists from Recorded Future and stores them as Threat Intelligence Indicators in Microsoft Sentinel, for detection purposes.\n\nThis playbook depends on RecordedFuture-ThreatIntelligenceImport that need to be installed **manually** before installing this playbook.", + "prerequisites": [ + "First install the RecordedFuture-ThreatIntelligenceImport playbook.", + "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials" + ], + "postDeployment": [ + "After deployment, open the playbook to configure all connections and press save." + ], + "prerequisitesDeployTemplateFile": "../RecordedFuture-ThreatIntelligenceImport/azuredeploy.json", + "lastUpdateTime": "2023-07-06T00:00:00.000Z", + "entities": [], + "tags": [ "Threat Intelligence" ], + "support": { + "tier": "Partner", + "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" + }, + "author": { + "name": "Recorded Future" + }, + "releaseNotes": [ + { + "version": "1.0", + "title": "RecordedFuture-URL-IndicatorImport", + "notes": [ "Initial version" ] + } + ] + }, + "parameters": { + "PlaybookName": { + "defaultValue": "RecordedFuture-URL-IndicatorImport", + "type": "string" + }, + "PlaybookNameBatching": { + "defaultValue": "RecordedFuture-ThreatIntelligenceImport", + "type": "String" + } + }, + "variables": { + "RecordedfutureConnectionName": "[concat('Recordedfuture-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "properties": { + "provisioningState": "Succeeded", + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Recurrence": { + "recurrence": { + "frequency": "Hour", + "interval": 2 + }, + "evaluatedRecurrence": { + "frequency": "Hour", + "interval": 24 + }, + "type": "Recurrence" + } + }, + "actions": { + "For_each": { + "foreach": "@body('Recorded_Future_RiskLists_and_SCF_Download')", + "actions": { + "Parse_JSON": { + "runAfter": {}, + "type": "ParseJson", + "inputs": { + "content": "@items('For_each')", + "schema": { + "properties": { + "EvidenceDetails": { + "properties": { + "EvidenceDetails": { + "items": { + "properties": { + "Criticality": { + "type": "integer" + }, + "CriticalityLabel": { + "type": "string" + }, + "EvidenceString": { + "type": "string" + }, + "Rule": { + "type": "string" + }, + "Timestamp": { + "type": "integer" + } + }, + "required": [ + "Rule", + "EvidenceString", + "CriticalityLabel", + "Timestamp", + "Criticality" + ], + "type": "object" + }, + "type": "array" + } + }, + "type": "object" + }, + "Name": { + "type": "string" + }, + "Risk": { + "type": "integer" + }, + "riskString": { + "type": "string" + } + }, + "type": "object" + } + } + }, + "RecordedFuture-ImportToSentinel": { + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "SendToBatch", + "inputs": { + "batchName": "RFImportToSentinel", + "content": { + "confidence": "@int(body('Parse_JSON')?['Risk'])", + "created": "@{utcNow()}", + "description": "Recorded Future - URL - Recently Reported by Insikt Group", + "id": "indicator--@{guid()}", + "indicator_types": [ + "malicious-activity" + ], + "labels": [ + "@{body('Parse_JSON')?['EvidenceDetails']?['EvidenceDetails']}" + ], + "modified": "@{utcNow()}", + "name": "@{body('Parse_JSON')?['Name']}", + "pattern": "[[url:value = '@{body('Parse_JSON')?['Name']}']", + "pattern_type": "stix", + "spec_version": "2.1", + "type": "indicator", + "valid_from": "@{utcNow()}", + "valid_until": "@{addHours(utcNow(),2)}" + }, + "host": { + "triggerName": "Batch_messages", + "workflow": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/resourceGroups/', resourceGroup().name, '/providers/Microsoft.Logic/workflows/', parameters('PlaybookNameBatching'))]" + } + } + } + } + }, + "runAfter": { + "Recorded_Future_RiskLists_and_SCF_Download": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Recorded_Future_RiskLists_and_SCF_Download": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['recordedfuture']['connectionId']" + } + }, + "method": "get", + "path": "/fusion/files", + "queries": { + "path": "/public/MicrosoftAzure/url_insikt.json" + } + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "recordedfuture": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]", + "connectionName": "[variables('RecordedfutureConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Recordedfuturev2')]" + } + } + } + } + }, + "name": "[parameters('PlaybookName')]", + "type": "Microsoft.Logic/workflows", + "location": "[resourceGroup().location]", + "identity": { + "type": "SystemAssigned" + }, + "apiVersion": "2017-07-01", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-URL-IndicatorImport", + "hidden-SentinelTemplateVersion": "1.0" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('RecordedfutureConnectionName')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[variables('RecordedfutureConnectionName')]", + "customParameterValues": {}, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/Recordedfuturev2')]" + } + } + } + ] +} diff --git a/Solutions/Recorded Future/Playbooks/RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor/azuredeploy.json b/Solutions/Recorded Future/Playbooks/RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor/azuredeploy.json index 477dbb7bf0b..5387d286c52 100644 --- a/Solutions/Recorded Future/Playbooks/RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor/azuredeploy.json @@ -3,7 +3,7 @@ "contentVersion": "1.0.0.0", "metadata": { "title": "RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor", - "description": "This playbook leverages the Recorded Future API and automatically imports the Recently Reported by Insikt Group URL RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.", + "description": "**[Deprecated]**\nDeprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution.\n\nThis playbook leverages the Recorded Future API and automatically imports the Recently Reported by Insikt Group URL RiskList, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.", "prerequisites": [ "First install the RecordedFuture-ImportToSentinel playbook.", "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials" @@ -11,10 +11,9 @@ "postDeployment": [ "After deployment you have to open the playbook to configure all connections and press save." ], - "prerequisitesDeployTemplateFile": "../RecordedFuture-ImportToSentinel/RecordedFuture-ImportToSentinel.json", - "lastUpdateTime": "2022-08-01T00:00:00.000Z", + "lastUpdateTime": "2022-08-09T00:00:00.000Z", "entities": [], - "tags": [ "Threat Intelligence" ], + "tags": [ "Deprecated", "Threat Intelligence" ], "support": { "tier": "Partner" }, @@ -23,7 +22,15 @@ }, "releaseNotes": [ { - "version": "1.0.0", + "version": "1.1", + "title": "Deprecated", + "notes": [ + "Deprecated in favor for the new IndicatorImport playbooks. More information can be found in the readme on Github https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded%20Future/Playbooks/readme.md", + "Once a new IndicatorImport playbook is installed downloading the same risk list. Deactivate or delete this playbook." + ] + }, + { + "version": "1.0", "title": "RecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor", "notes": [ "Initial version" ] } @@ -48,6 +55,10 @@ "apiVersion": "2019-05-01", "name": "[parameters('PlaybookName')]", "location": "[resourceGroup().location]", + "tags": { + "hidden-SentinelTemplateName": "RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor", + "hidden-SentinelTemplateVersion": "1.1" + }, "dependsOn": [ "[resourceId('Microsoft.Web/connections', variables('RecordedFutureConnectionName'))]" ], diff --git a/Solutions/Recorded Future/Playbooks/RecordedFuture-Ukraine-IndicatorProcessor/azuredeploy.json b/Solutions/Recorded Future/Playbooks/RecordedFuture-Ukraine-IndicatorProcessor/azuredeploy.json index 5c55c7f833f..2141e8054b4 100644 --- a/Solutions/Recorded Future/Playbooks/RecordedFuture-Ukraine-IndicatorProcessor/azuredeploy.json +++ b/Solutions/Recorded Future/Playbooks/RecordedFuture-Ukraine-IndicatorProcessor/azuredeploy.json @@ -1,9 +1,9 @@ { - "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "$schema": "https://schema.management.azure.com/schemas/2015-01-01/deploymentTemplate.json#", "contentVersion": "1.0.0.0", "metadata": { "title": "RecordedFuture-Ukraine-IndicatorProcessor", - "description": "This playbook leverages the Recorded Future API and automatically imports the Ukraine RiskLists, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.", + "description": "**[Deprecated]**\nDeprecated due to changes in the Threat Intelligence Platform. Use the new IndicatorImport playbooks that is provided in this Solution.\n\nThis playbook leverages the Recorded Future API and automatically imports the Ukraine RiskLists, as Threat Intelligence Indicators, for detection purposes in Microsoft Sentinel.\n\nThis playbook depends on RecordedFuture-ImportToSentinel that need to be installed **manually** before installing current playbook.", "prerequisites": [ "First install the RecordedFuture-ImportToSentinel playbook.", "To use the Recorded Future for Azure connector, you will need a valid API token from Recorded Future as described in the documentation https://learn.microsoft.com/en-us/connectors/recordedfuturev2/#how-to-get-credentials" @@ -11,18 +11,31 @@ "postDeployment": [ "After deployment you have to open the playbook to configure all connections and press save." ], - "prerequisitesDeployTemplateFile": "../RecordedFuture-ImportToSentinel/RecordedFuture-ImportToSentinel.json", - "lastUpdateTime": "2022-09-20T00:00:00.000Z", - "entities": [ - ], - "tags": [ "Threat Intelligence" ], + "lastUpdateTime": "2023-09-13T00:00:00.000Z", + "entities": [], + "tags": ["Deprecated","Threat Intelligence"], "support": { "tier": "Partner", "armtemplate": "Generated from https://github.com/Azure/Azure-Sentinel/tree/master/Tools/Playbook-ARM-Template-Generator" }, "author": { - "name": "" - } + "name": "Recorded Future" + }, + "releaseNotes": [ + { + "version": "1.1", + "title": "Deprecated", + "notes": [ + "Deprecated in favor for the new IndicatorImport playbooks. More information can be found in the readme on Github https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Recorded%20Future/Playbooks/readme.md", + "Once a new IndicatorImport playbook is installed downloading the same risk list. Deactivate or delete this playbook." + ] + }, + { + "version": "1.0", + "title": "RecordedFuture-Ukraine-IndicatorProcessor", + "notes": [ "Initial version" ] + } + ] }, "parameters": { "PlaybookName": { @@ -47,8 +60,7 @@ "contentVersion": "1.0.0.0", "parameters": { "$connections": { - "defaultValue": { - }, + "defaultValue": {}, "type": "Object" } }, @@ -638,13 +650,13 @@ "type": "Microsoft.Logic/workflows", "location": "[resourceGroup().location]", "tags": { - "hidden-SentinelTemplateName": "RecordedFuture_Ukraine_Detection_IndicatorProcessor", - "hidden-SentinelTemplateVersion": "1.0" + "hidden-SentinelTemplateName": "RecordedFuture-Ukraine-IndicatorProcessor", + "hidden-SentinelTemplateVersion": "1.1" }, "identity": { "type": "SystemAssigned" }, - "apiVersion": "2017-07-01", + "apiVersion": "2019-05-01", "dependsOn": [ "[resourceId('Microsoft.Web/connections', variables('RecordedfutureConnectionName'))]" ] diff --git a/Solutions/Recorded Future/Playbooks/readme.md b/Solutions/Recorded Future/Playbooks/readme.md index 702bf62c510..a00d17704d4 100644 --- a/Solutions/Recorded Future/Playbooks/readme.md +++ b/Solutions/Recorded Future/Playbooks/readme.md @@ -3,62 +3,87 @@ # Overview -Recorded Future are the world’s largest provider of intelligence for enterprise security. By combining persistent and pervasive automated data collection and analytics with human analysis, Recorded Future delivers intelligence that is timely, accurate, and actionable. +This guide provides instructions on how to install, update and configure Recorded Future Intelligence for Microsoft Sentinel. -The Recorded Future Microsoft Sentinel Integration will supercharge Sentinel by integrating intelligence from Recorded Future. +Recorded Future is the world's largest provider of intelligence for enterprise security. By seamlessly combining automated data collection, pervasive analytics, and expert human analysis, Recorded Future delivers timely, accurate, and actionable intelligence. -**Benefits** -- Detect risky indicators of compromise (IOCs) in your environment. +**Benefits of Recorded Future integrations** +- Detect indicators of compromise (IOCs) in your environment. - Triage alerts faster with elite, real-time intelligence. - Respond quickly with transparency and context around internal telemetry data. - Maximize your investment in Microsoft Sentinel. -For more information see: [How to Apply Elite Intelligence to Microsoft Azure Sentinel](https://www.recordedfuture.com/microsoft-azure-sentinel-integration) +[Learn more about Recorded Future for Microsoft Sentinel](https://www.recordedfuture.com/microsoft-azure-sentinel-integration) -# Use cases -The playbooks provided in the Recorded Future Solution support use cases for detection and incident response. Automation of a complete use case will require installation of playbooks, creation of analytic rules, and configuration of automation rules. -## Detection - Risk list +# Key Features +Recorded Future for Microsoft Sentinel offers a range of powerful intelligence capabilities, some of the key features include: +## **IOC Detection (Detect)** -The TI-Processor pulls configured risk lists from Recorded Future and writes the contained indicators to Sentinels ThreatIntelligenceIndicator table in batches via the RecordedFuture-ImportToSentinel playbook. +The TI-Processor playbooks pulls risk lists from Recorded Future and writes the contained indicators to the Sentinel ThreatIntelligenceIndicator table via the RecordedFuture-ImportToSentinel playbook.  -Analytic rules correlates threat intelligence indicators with logs provided to Sentinel and creates incidents for any matches found. +Microsoft Sentinel analytic rules correlates threat intelligence indicators with logs provided to Sentinel and creates alerts/incidents for matches found. +  -## Response - Enrichment +## **IOC Enrichment (Respond)** -Automation rules trigger on each incident and enriches the incidents with Recorded Future intelligence. +Automation rules triggers on each incident and enriches incidents with Recorded Future intelligence.  -# Risk lists -Risk lists are lists of high risk indicators matching some specific criteria. We use these lists to transfer accurate and current threat intelligence to Microsoft Sentinel as ThreatIntelligenceIndicators. Connect logs from your infrastructure in order to detect, prevent and triage security vulnerabilities. +## **Malware Sandbox Analysis** + +Uploads and detonate samples in Recorded Future's Malware Analysis Sandbox. The sandbox provides safe and immediate behavioral analysis, helping contextualize key artifacts in an investigation, leading to faster triage. + + +## **Import Alerts** (SOC Efficiency) + +To increase the visibility and availability of Recorded Future Alerts. Import Recorded Future Alerts and Playbook Alerts from Recorded Future Portal into Sentinel. -Read more about risk lists by following the links below: -- https://www.recordedfuture.com/support/install-configure-manage-risk-lists --[Recorded Future Risk Lists](https://support.recordedfuture.com/hc/en-us/articles/115000897248-Recorded-Future-Risk-Lists) (Require Recorded Future Login) -- [Risk List Download Recommendations](https://support.recordedfuture.com/hc/en-us/articles/115010401968-Risk-List-Download-Recommendations) (Require Recorded Future Login) +## Risk lists +Risk lists are curated lists that contain Indicators of Compromise (IOCs), such as IP addresses, domains, file hashes, or URLs associated with malicious activity. These lists are generated based on a wide array of Recorded Future intelligence sources, including open web, dark web, and other technical sources. -# Prerequisites +* [Manage Risk Lists](https://www.recordedfuture.com/support/install-configure-manage-risk-lists) +* [About Risk Lists](https://support.recordedfuture.com/hc/en-us/articles/115000897248-Recorded-Future-Risk-Lists) (requires login) +* [Risk List Download Recommendations](https://support.recordedfuture.com/hc/en-us/articles/115010401968-Risk-List-Download-Recommendations) (requires login) +# Before You Begin ## Roles and Permissions The following article describes roles and permissions in Microsoft Sentinel [Roles and permissions in Microsoft Sentinel](https://learn.microsoft.com/en-us/azure/sentinel/roles). -To install and manage Playbooks/Logic Apps, the following permissions are required on the resource group [Microsoft Sentinel Contributor](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) + [Logic App Contributor](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-contributor). +To install and manage Playbooks/Logic Apps, the following permissions are required on the resource group [Microsoft Sentinel Contributor](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#microsoft-sentinel-contributor) and [Logic App Contributor](https://learn.microsoft.com/en-us/azure/role-based-access-control/built-in-roles#logic-app-contributor). -The Threat Intelligence Platforms Data Connector in Sentinel must be enabled in order for indicators to be forwarded from the Graph Security API to Sentinel. +The **Threat Intelligence Upload Indicators API** in Sentinel must be enabled in order for indicators to be forwarded to Sentinel ThreatIntelligenceIndicator table. + + + +DEPRECATED! The **Threat Intelligence Platforms Data Connector** in Sentinel must be enabled in order for indicators to be forwarded from the Graph Security API to Sentinel. (This connector is being deprecated by Microsoft and future updates of this solution will use the Threat Intelligence Upload Indicators API).  -## Connector authorization +## Connectors Authorization Each connector need to be authorized after playbook/logic app installation. Expand all nodes in the logic app after installation and look for blocks marked with a warning sign. Open and authorize all connections. +Recorded Future requires API keys to communicate with our API. To obtain API keys, please visit [Recorded Future Requesting API Tokens](https://support.recordedfuture.com/hc/en-us/articles/4411077373587-Requesting-API-Tokens) (Require Recorded Future Login) and request API token for ```Recorded Future for Microsoft Sentinel``` or/and ```Recorded Future Sandbox for Microsoft Sentinel```. + \ +or + + + + The Recorded Future solution uses the following connectors: -- **/recordedfuturev2** - [Microsoft power platform connectors](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/). All logic apps require APIKeys to communicate with the Recorded Future API. To obtain APIKeys, please visit [Recorded Future Requesting API Tokens](https://support.recordedfuture.com/hc/en-us/articles/4411077373587-Requesting-API-Tokens)(Require Recorded Future Login) and request API token for Recorded Future for Microsoft Sentinel. -- **/microsoftgraphsecurity** - [Documenation on Microsoft power platform connectors](https://learn.microsoft.com/en-us/connectors/microsoftgraphsecurity/) +- **/recordedfuturev2** - [Microsoft power platform connector](https://learn.microsoft.com/en-us/connectors/recordedfuturev2/). + + +- **/recordedfuturesandbo** - [Microsoft power platform connector](https://learn.microsoft.com/en-us/connectors/recordedfuturesandbo/). + + - **/azuresentinel** - [Documentation on Microsoft power platform connectors](https://learn.microsoft.com/en-us/connectors/azuresentinel/) -- **/recordedfuturesandbo** - [Microsoft power platform connectors](https://learn.microsoft.com/en-us/connectors/recordedfuturesandbo/). All logic apps require APIKeys to communicate with the Recorded Future API. To obtain APIKeys, please visit [Recorded Future Requesting API Tokens](https://support.recordedfuture.com/hc/en-us/articles/4411077373587-Requesting-API-Tokens) (Require Recorded Future Login) and request API Token for Recorded Future Sandbox for Microsoft Sentinel. + + +- **/microsoftgraphsecurity** - [Documenation on Microsoft power platform connectors](https://learn.microsoft.com/en-us/connectors/microsoftgraphsecurity/). The playbooks using this API is being DEPRECATED and will transition to new playbooks using azuresentinel api. ## Ingestion and Operational costs Playbook(Logic apps) may result in additional ingestion or operational costs: @@ -71,13 +96,11 @@ Recorded Futures risk lists are generated at different cadences as described in # Installation -There are two options for installing playbooks and starting automated threat response: +There are two options for installing playbooks and starting automate threat response: - Installing the solution from [Content Hub](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/GalleryItemDetailsBladeNopdl/dontDiscardJourney~/true/id/recordedfuture1605638642586.recorded_future_sentinel_solution). (Recommended) -- Installing the playbooks one by one by from this Readme. - -> **Due to internal dependencies, please deploy and activate the ImportToSentinel playbook before any of the IndicatorProcessor/TIProcessor playbooks.** +- Installing the playbooks one by one by from this Readme further down in this document. ## Content Hub Installation @@ -92,24 +115,42 @@ To use the workbooks, playbooks and analytic rules, install them inside of Senti ## Playbooks one by one installation To install individual playbooks one by one, use the buttons next to the descriptions of the individual playbooks further down in this document. +> **Due to internal dependencies, please deploy and activate the ThreatIntelligenceImport playbook before any of the IndicatorProcessor/TIProcessor playbooks.** + +# Upgrade from previous versions + +### From version 2.4 +We are deprecating the RecordedFuture-ImportToSentinel and all *-TIProcessor playbooks. You need to install the new IndicatorImport playbooks and configure them to download you selection of risk lists. Investigate the risk lists being downloaded and the cadence and use the same configuration using the TIProcessor playbooks. Use the same description for threat indicators if you have analytic rules set up for alerting. +### From version 1 +If you have a version 1 installation you need to first acquire a V2 APi key from Recorded Future. Install the new all IndicatorImport and enrichment -playbooks. Select a different name than the once already installed and reauthenticate them. Configure the IndicatorImport playbooks to pull your selection of risk lists. After validating that the new playbooks works as expected you can deactivate the V1 versions. + # Configuration ## Risk list configuration -Verify that the **ImportToSentinel** logic app is installed and active in your environment before installing the TIProcessing risk lists. - +Verify that the **ThreatIntelligenceImport** logic app is installed and active in your environment before installing the TIProcessing risk lists. -From Automation -> Playbook Template -> Select any Recorded Future playbook that ends with TIProcessor, like **RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor**, press create playbook. -Note that it is possible to deploy several instances of the same template by giving them unique names. +From ```Automation -> Playbook Template``` Select any Recorded Future playbook that ends with IndicatorImport, like **RecordedFuture-IP-IndicatorImport**, press create playbook. +Note that it is possible to deploy several instances of the same template by giving them unique names. This is how you can pull several risk lists of the same type.  -The parameter PlaybookNameBatching is the name of the ImportToSentinel playbook that will handle batch processing of indicators into Sentinel. In the last step press **Create and continue to designer**. +The parameter PlaybookNameBatching is the name of the ThreatIntelligenceImport playbook that will handle batch processing of indicators into Sentinel. In the last step press **Create and continue to designer**.  In the designer, locate all steps that show a warning and authenticate these steps. Authentication looks different for each connection. More information on this can be found in the chapter above called Connector Authorization.  -## Configure cadence of Risk list ingestion +## Change risk list +You can change risk list to pull in to your environment. This can be done in the default playbook or you can install several instances of one playbook. +Example: You would like to use both ```Actively Communicating Validated C&C Server``` and ```Recent Phishing Host``` ip risk lists. +Select the **RecordedFuture-IP-IndicatorImport** template from ```Automation -> Playbook``` twice and save with different names like ```Recorded Future - Actively Communicating Validated C&C Server - IndicatorImport``` and ```Recorded Future - Phishing Host - IndicatorImport```. + +Change the risk list to download and modify the description in the ```RecordedFuture-Threatlntelligencelmport``` step in the logic app. + + +## Configure Cadence of Risk List Ingestion +Its possible to adjust the cadence of risk list download to reduce traffic and cost. Recorded Future have the following recommendations [Risk-List-Download-Recommendations](https://support.recordedfuture.com/hc/en-us/articles/115010401968-Risk-List-Download-Recommendations) (Require Recorded Future Login). + The first step of all TIProcessing Playbooks is a recurrence step, it is possible to adjust the cadence by modifying the interval and frequency parameters.  @@ -118,20 +159,24 @@ If you do so however, it is critical that you also adjust the expirationDateTime * Having no active Recorded Future indicators the majority of the time. If you are unsure of how to do this, please consult Recorded Future Professional Services. - + ## Query Risk lists -After successfully importing one or more risk lists it is possible to query the imported data in your Log Analytics Workspace. +After successfully running and importing one or more risk lists it is possible to query the imported data in your Log Analytics Workspace. Example queries: ``` sql +// List 10 rows from ThreatIntelligenceIndicator log imported from Recorded Future ThreatIntelligenceIndicator | where Description contains "Recorded Future" | take 10 +// List 10 rows from ThreatIntelligenceIndicator log imported from the +// IP - Actively Communicating C&C Server risk list ThreatIntelligenceIndicator |where Description == "Recorded Future - IP - Actively Communicating C&C Server" | take 10 +// List 10 rows from ThreatIntelligenceIndicator log imported from Recorded Future ThreatIntelligenceIndicator |where Description == "Recorded Future - IP - Actively Communicating C&C Server" and AdditionalInformation contains "Cobalt Strike" | take 10 @@ -139,90 +184,139 @@ ThreatIntelligenceIndicator  -## Configure Analytic Rules for detection -The Solution contains examples of how to build Analytic Rules based on Recorded Future Risk Lists. - +## Activate Analytic Rules for IoC detection +Automatically enrich IOCs in incidents by following the steps below: + +1. Open Microsoft Sentinel. +2. Go to Automation and select *Create Automation rule* +3. Name the rule +4. Select the following options: + * Trigger: **When an incident is created** + * Action: **Run playbook** + * Playbook (successfully configured): + - **RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash** or + - **RecordedFuture-Sandbox_Enrichment-Url** +5. Done -Provided the example you have to adjust the KQL query to match Threat Intelligence indicators with logs from your infrastructure. - +The Recorded Future playbook is now configured to run when incidents are triggered, and it will enrich the following IOC types: IP, Domain, URL, or Hash. # Playbooks -The following playbooks are provided by Recorded Future. +This section lists all available Recorded Future Playbooks. -## RecordedFuture-ImportToSentinel -Type: Detection -Included in Recorded Future Intelligence Solution: Yes +## RecordedFuture-ThreatIntelligenceImport +Type: Detection\ +Included in Recorded Future Intelligence Solution: Yes\ +Requires **/recordedfuturev2** API keys as described in the [Connector authorization](#connector-authorization) section. -This playbook will serve all the TIProcessor playbooks with batch import of threat intelligence indicators into the ThreatIntelligenceIndicator table. +Retrieves Indicators Of Compromise (IoCs) from one of the indicator import logic apps, and store them in the ThreatIntelligenceIndicator table. All IndicatorImport playbooks use this playbook for batching. -[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-ImportToSentinel%2Fazuredeploy.json) -[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-ImportToSentinel%2Fazuredeploy.json) +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-ThreatIntelligenceImport%2Fazuredeploy.json) +[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-ThreatIntelligenceImport%2Fazuredeploy.json) -## RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor -Type: Detection -Included in Recorded Future Intelligence Solution: Yes +## RecordedFuture-Domain-IndicatorImport +Type: Detection\ +Included in Recorded Future Intelligence Solution: Yes\ +Requires **/recordedfuturev2** API keys as described in the [Connector authorization](#connector-authorization) section. -This playbook leverages the Recorded Future API to automate the ingestion of Recorded Future [Actively Communicating C&C Server IP RiskList](https://support.recordedfuture.com/hc/en-us/articles/115000894448-IP-Address-Risk-Rules) (Require Recorded Future Login), into the ThreatIntelligenceIndicator table, for detection (alert) actions in Microsoft Sentinel. For additional information please visit [Recorded Future](https://www.recordedfuture.com/integrations/microsoft). -[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor%2Fazuredeploy.json) -[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor%2Fazuredeploy.json) +Retrieves the [Microsoft Sentinel Domain Default Risk List ](https://support.recordedfuture.com/hc/en-us/articles/115003793388-Domain-Risk-Rules) (requires login), Domain IOC with risk greater than 65 and adds the IOCs to the ThreatIntelligenceIndicator table. -## RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor -Type: Detection -Included in Recorded Future Intelligence Solution: Yes +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FDomain-IndicatorImport%2Fazuredeploy.json) +[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FDomain-IndicatorImport%2Fazuredeploy.json) -This playbook leverages the Recorded Future API to automate the ingestion of Recorded Future [C&C DNS Name Domain RiskList](https://support.recordedfuture.com/hc/en-us/articles/115003793388-Domain-Risk-Rules) (Require Recorded Future Login), into the ThreatIntelligenceIndicator table, for detection (alert) actions in Microsoft Sentinel. For additional information please visit [Recorded Future](https://www.recordedfuture.com/integrations/microsoft). -[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor%2Fazuredeploy.json) -[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor%2Fazuredeploy.json) +## RecordedFuture-Hash-IndicatorImport +Type: Detection\ +Included in Recorded Future Intelligence Solution: Yes\ +Requires **/recordedfuturev2** API keys as described in the [Connector authorization](#connector-authorization) section. -## RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor -Type: Detection -Included in Recorded Future Intelligence Solution: Yes +Retrieves the [Microsoft Sentinel Hash Observed in Underground Testing Risk List ](https://support.recordedfuture.com/hc/en-us/articles/115000846167-Hash-Risk-Rules) (requires login), Hashes based on the observedMalwareTesting Risk Rule and adds the IOCs to the ThreatIntelligenceIndicator table. -This playbook leverages the Recorded Future API to automate the ingestion of Recorded Future [Recently Reported by Insikt Group URL RiskList](https://support.recordedfuture.com/hc/en-us/articles/115010052768-URL-Risk-Rules) (Require Recorded Future Login), into the ThreatIntelligenceIndicator table, for detection (alert) actions in Microsoft Sentinel. For additional information please visit [Recorded Future](https://www.recordedfuture.com/integrations/microsoft). +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-Hash-IndicatorImport%2Fazuredeploy.json) +[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-Hash-IndicatorImport%2Fazuredeploy.json) -[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor%2Fazuredeploy.json) -[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor%2Fazuredeploy.json) +## RecordedFuture-IP-IndicatorImport +Type: Detection\ +Included in Recorded Future Intelligence Solution: Yes\ +Requires **/recordedfuturev2** API keys as described in the [Connector authorization](#connector-authorization) section. -## RecordedFuture-HASH-Obs_in_Underground-TIProcessor -Type: Detection -Included in Recorded Future Intelligence Solution: Yes +Retrieves the [Actively Communicating Validated C&C Server Risk List ](https://support.recordedfuture.com/hc/en-us/articles/115000894448-IP-Address-Risk-Rules) (requires login), Observing C2 communications with infected machines or adversary control by Recorded Future Network Traffic Analysis. -This playbook leverages the Recorded Future API to automate the ingestion of Recorded Future [Observed in Underground Virus Testing Sites Hash RiskList](https://support.recordedfuture.com/hc/en-us/articles/115000846167-Hash-Risk-Rules) (Require Recorded Future Login), into the ThreatIntelligenceIndicator table, for detection (alert) actions in Microsoft Sentinel. For additional information please visit [Recorded Future](https://www.recordedfuture.com/integrations/microsoft). +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-IP-IndicatorImport%2Fazuredeploy.json) +[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-IP-IndicatorImport%2Fazuredeploy.json) -[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor%2Fazuredeploy.json) -[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor%2Fazuredeploy.json) +## RecordedFuture-URL-IndicatorImport +Type: Detection\ +Included in Recorded Future Intelligence Solution: Yes\ +Requires **/recordedfuturev2** API keys as described in the [Connector authorization](#connector-authorization) section. -## RecordedFuture-Ukraine-IndicatorProcessor -Type: Detection -Included in Recorded Future Intelligence Solution: Yes +Retrieves the [Microsoft Sentinel URL Recently Reported by Insikt Group Risk List ](https://support.recordedfuture.com/hc/en-us/articles/115000894448-IP-Address-Risk-Rules) (requires login), URLs based on the Recently Reported by Insikt Group rule and adds the IOCs to the ThreatIntelligenceIndicator table. -This playbook leverages the Recorded Future API to automate the ingestion of Recorded Future [Ukraine Threat List of Related IOCs](https://support.recordedfuture.com/hc/en-us/articles/4484981411475-Resource-Center-on-the-Ukraine-Conflict) (Require Recorded Future Login), into the ThreatIntelligenceIndicator table, for detection (alert) actions in Microsoft Sentinel. For additional information please visit [Recorded Future](https://www.recordedfuture.com/integrations/microsoft). +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-URL-IndicatorImport%2Fazuredeploy.json) +[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-URL-IndicatorImport%2Fazuredeploy.json) -[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%20Future%2FPlaybooks%2FRecordedFuture-Ukraine-IndicatorProcessor%2Fazuredeploy.json) -[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%20Future%2FPlaybooks%2FRecordedFuture-Ukraine-IndicatorProcessor%2Fazuredeploy.json) +## RecordedFuture-Alert-Importer +Type: Alerting\ +Included in Recorded Future Intelligence Solution: Yes\ +Requires **/recordedfuturev2** API keys as described in the [Connector authorization](#connector-authorization) section. + +Retrieves Alerts and stores them in a custom log in the Log Analytic Workspace. More information on [Alerts](https://support.recordedfuture.com/hc/en-us/articles/115002151327-Setting-up-Event-Alerts) (requires login) + +The Alert importer playbook also creates incidents when receiving alerts. Its possible to turn off incident generation by setting the logic app parameter create_incident to false + + + +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-Alert-Importer%2Fazuredeploy.json) +[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-Alert-Importer%2Fazuredeploy.json) + + +## RecordedFuture-Playbook-Alert-Importer +Type: Alerting\ +Included in Recorded Future Intelligence Solution: Yes\ +Requires **/recordedfuturev2** API keys as described in the [Connector authorization](#connector-authorization) section. + +Retrieves Playbook Alerts and stores them in a custom log in the Log Analytic Workspace. More information on [Playbook Alerts](https://support.recordedfuture.com/hc/en-us/articles/13152506878739-Playbook-Alerting-Rules-) (requires login) + +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-Playbook-Alert-Importer%2Fazuredeploy.json) +[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-Playbook-Alert-Importer%2Fazuredeploy.json) + +__________________________________________________________ ## RecordedFuture-Sandbox_Enrichment-Url -Type: Response -Included in Recorded Future Intelligence Solution: Yes +Type: Response\ +Included in Recorded Future Intelligence Solution: Yes\ +Requires **/recordedfuturesanbo** API keys as described in the [Connector authorization](#connector-authorization) section. + +Enables URL submission to Recorded Future's Malware Analysis Sandbox, the playbook will also create a Sentinel incident with the following information from the analysis report: + +* Severity Score +* signatures +* A link to the complete analysis report -The Recorded Future Sandbox Playbook enables security and IT teams to analyze and understand URLs, which provides safe and immediate behavioral analysis, helping contextualize key artifacts in an investigation, leading to faster triage. Through this playbook, organizations can incorporate the malware analysis sandbox into automated workflows with applications. Incidents will be enriched with the following Recorded Future context: Sandbox Analysis Score, Signatures and a link to the full Recorded Future Sandbox report. The sandbox enrichment will be posted as a comment in the Microsoft Sentinel incident. For additional information please visit [Recorded Future Sandbox](https://go.recordedfuture.com/hubfs/data-sheets/A4/sandbox.pdf). +File submission requires a storage account. + +To set up automatic enrichment, map alerts to a [custom analytic rule](https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#alert-enrichment). -The automatic enrichments works on known entities of type Url mapped to alerts via analytic rules as described here [Create custom analytics rules to detect threats](https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#alert-enrichment). How to setup automatic enrichment is described in the next section. [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-Sandbox_Enrichment-Url%2Fazuredeploy.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-Sandbox_Enrichment-Url%2Fazuredeploy.json) ## RecordedFuture-Sandbox_Outlook_Attachment -Type: Response -Included in Recorded Future Intelligence Solution: No +Type: Response\ +Included in Recorded Future Intelligence Solution: No\ +Requires **/recordedfuturesanbo** API keys as described in the [Connector authorization](#connector-authorization) section. + +Enables submission of file attachments, from Microsoft Outlook emails, to Recorded to Future's Malware Analysis Sandbox. The playbook also creates a Sentinel incident with a summary of the analysis report. -> This playbook is in preview and not part of the Recorded Future Sentinel Solution. It's provided as an example how to build sandbox playbooks. +The email address that received the attachment will also receive an email with the summary. -The Recorded Future Sandbox Playbook enables security and IT teams to analyze and understand Outlook attachments, which provides safe and immediate behavioral analysis, helping contextualize key artifacts in an investigation, leading to faster triage. Through this playbook, organizations can incorporate the malware analysis sandbox into automated workflows with outlook. Attachments will be enriched with the following Recorded Future context: Sandbox Analysis Score, Signatures and a link to the full Recorded Future Sandbox report. The sandbox enrichment will be sent as a reply to the originating mailbox and a Microsoft Sentinel incident. For additional information about Recorded Future sandbox please visit [Recorded Future Sandbox](https://go.recordedfuture.com/hubfs/data-sheets/A4/sandbox.pdf). +**Information in summary** +* Severity Score +* signatures +* A link to the complete analysis report. + +To set up automatic enrichment, map alerts to a [custom analytic rule](https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#alert-enrichment). -The automatic enrichments works on known entities of type Url mapped to alerts via analytic rules as described here [Create custom analytics rules to detect threats](https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#alert-enrichment). How to setup automatic enrichment is described in the next section. [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-Sandbox_Outlook_Attachment%2Fazuredeploy.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-Sandbox_Outlook_Attachment%2Fazuredeploy.json) @@ -230,14 +324,20 @@ The automatic enrichments works on known entities of type Url mapped to alerts v  ## RecordedFuture-Sandbox_StorageAccount -Type: Response -Included in Recorded Future Intelligence Solution: No +Type: Response\ +Included in Recorded Future Intelligence Solution: No\ +Requires **/recordedfuturesanbo** API keys as described in the [Connector authorization](#connector-authorization) section. + +Enables security and IT teams to submit files to Recorded Future's Malware Analysis Sandbox. The playbook will generate an Sentinel incident, and add a comment with a the following data from the analysis report: -> This playbook is in preview state not part of the Recorded Future Sentinel Solution. It's provided as an example how to build sandbox playbooks. +* Severity Score +* signatures +* A link to the complete Sandbox report -The Recorded Future Sandbox Playbook enables security and IT teams to upload and detonate files in Recorded Future Sandbox from a storage accounts. Recorded Future Sandbox provides safe and immediate behavioral analysis, helping contextualize key artifacts in an investigation, leading to faster triage. Through this playbook, organizations can incorporate the malware analysis sandbox into automated workflows with storage accounts. Files will be enriched with the following Recorded Future context: Sandbox Analysis Score, Signatures and a link to the full Recorded Future Sandbox report. The sandbox enrichment will create a Microsoft Sentinel incident. For additional information about Recorded Future sandbox please visit [Recorded Future Sandbox](https://go.recordedfuture.com/hubfs/data-sheets/A4/sandbox.pdf). +This playbook is for file Submission with a storage account. + +To set up automatic enrichment, map alerts to a [custom analytic rule](https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#alert-enrichment). -The automatic enrichments works on known entities of type Url mapped to alerts via analytic rules as described here [Create custom analytics rules to detect threats](https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#alert-enrichment). How to setup automatic enrichment is described in the next section. [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-Sandbox_StorageAccount%2Fazuredeploy.json) [](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-Sandbox_StorageAccount%2Fazuredeploy.json) @@ -246,11 +346,21 @@ The automatic enrichments works on known entities of type Url mapped to alerts v --- ## RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash -Type: Response +Type: Response\ +Requires **/recordedfuturev2** API keys as described in the [Connector authorization](#connector-authorization) section. + +Enriches IOCs (IPs, Domains, URLs and hashes) in Sentinel incidents with Recorded Future Intelligence. The Playbook adds the following data for all IOCs an incident: -This playbook leverages the Recorded Future API to automatically enrich the IP, Domain, Url and Hash indicators, found in incidents. Incidents will be enriched with the following Recorded Future context: Risk Score, Risk Rules, Research links, Technical links, Previous detections and a link to the Recorded Future Intelligence Card. The enrichment will be posted as a comment in the Microsoft Sentinel incident. For additional information please visit [Recorded Future](https://www.recordedfuture.com/integrations/microsoft). +* Recorded Future Risk Score +* Triggered Risk Rules +* Research Links +* Technical links +* Previous detections +* Link to the IOC Intelligence Card in the Recorded Future portal. + +Data is added as a comment in the incident. -The automatic enrichments works on known entity type (IP, Domain, Url or File Hash) mapped to alerts via analytic rules as described here [Create custom analytics rules to detect threats](https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#alert-enrichment). How to setup automatic enrichment is described in the next section. +Enable automatic enrichment by mapping enrichments to alerts using a [custom analytics rule](https://learn.microsoft.com/en-us/azure/sentinel/detect-threats-custom#alert-enrichment) [](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash%2Fazuredeploy.json) @@ -271,4 +381,76 @@ This will trigger the Recorded Future playbook to run when any incident is creat The Recorded Future Intelligence Cloud aggregates data related to Sigma Rules and other indicators, driving collective insights to better identify threats. Anonymized, unattributable data is collected for analytical purposes to identify trends and insights with the Intelligence Cloud. The **RecordedFuture-IOC_Enrichment-IP_Domain_URL_Hash** playbook gives end users the ability to contribute collective insights to the Intelligence Cloud. [Click here to learn more](https://support.recordedfuture.com/hc/en-us/articles/11633413141779) (Require Recorded Future Login) - \ No newline at end of file + + + +# DEPRECATED Playbooks +These playbooks will be removed in future version on Recorder Future Solution. +## RecordedFuture-ImportToSentinel +[DEPRECATED]: Use the new RecordedFuture-ThreatIntelligenceImport playbook. +Type: Detection +Included in Recorded Future Intelligence Solution: Yes + +Retrieves all Risk Lists (IOCs), and adds them to the ThreatIntelligenceIndicator table. All TIProcessor playbooks use this playbook. + +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-ImportToSentinel%2Fazuredeploy.json) +[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-ImportToSentinel%2Fazuredeploy.json) + +## RecordedFuture-IP-Actively_Comm_C2_Server-TIProcessor +[DEPRECATED]: Use the new RecordedFuture-ThreatIntelligenceImport playbook. +Type: Detection +Included in Recorded Future Intelligence Solution: Yes + +Retrieves the [ Risk List - Actively Communicating C&C IPs](https://support.recordedfuture.com/hc/en-us/articles/115000894448-IP-Address-Risk-Rules) (requires login), and adds the IOCs to the ThreatIntelligenceIndicator table. + +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor%2Fazuredeploy.json) +[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-IP-Actively_Comm_C2_Server-IndicatorProcessor%2Fazuredeploy.json) + +## RecordedFuture-DOMAIN-C2_DNS_Name-TIProcessor +[DEPRECATED]: Use the new RecordedFuture-ThreatIntelligenceImport playbook. +Type: Detection +Included in Recorded Future Intelligence Solution: Yes + +Retrieves the [Risk List - C&C DNS Name Domain](https://support.recordedfuture.com/hc/en-us/articles/115003793388-Domain-Risk-Rules) (requires login), and adds the IOCs to the ThreatIntelligenceIndicator table. + +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor%2Fazuredeploy.json) +[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-DOMAIN-C2_DNS_Name-IndicatorProcessor%2Fazuredeploy.json) + +## RecordedFuture-URL-Recent_Rep_by_Insikt-TIProcessor +[DEPRECATED]: Use the new RecordedFuture-ThreatIntelligenceImport playbook. +Type: Detection +Included in Recorded Future Intelligence Solution: Yes + +Retrieves the [ Risk List - Recently Reported by Insikt Group URL](https://support.recordedfuture.com/hc/en-us/articles/115010052768-URL-Risk-Rules) (requires login) and adds the IOCs to the ThreatIntelligenceIndicator table. + +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor%2Fazuredeploy.json) +[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-URL-Recent_Rep_by_Insikt_Group-IndicatorProcessor%2Fazuredeploy.json) + +## RecordedFuture-HASH-Obs_in_Underground-TIProcessor +[DEPRECATED]: Use the new RecordedFuture-ThreatIntelligenceImport playbook. +Type: Detection +Included in Recorded Future Intelligence Solution: Yes + +Retrieves the[ Risk List - Observed in Underground Virus Testing Sites Hash](https://support.recordedfuture.com/hc/en-us/articles/115000846167-Hash-Risk-Rules) (requires login), and adds the IOCs to the ThreatIntelligenceIndicator table. + +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor%2Fazuredeploy.json) +[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%2520Future%2FPlaybooks%2FRecordedFuture-HASH-Observed_in_Underground_Virus_Test_Sites-IndicatorProcessor%2Fazuredeploy.json) + +## RecordedFuture-Ukraine-IndicatorProcessor +[DEPRECATED]: Use the new RecordedFuture-ThreatIntelligenceImport playbook. +Type: Detection +Included in Recorded Future Intelligence Solution: Yes + +Retrieves the [Risk List - Ukraine Threat List of Related IOCs](https://support.recordedfuture.com/hc/en-us/articles/4484981411475-Resource-Center-on-the-Ukraine-Conflict) (requires login), and adds the IOCs to the ThreatIntelligenceIndicator table. + +[](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%20Future%2FPlaybooks%2FRecordedFuture-Ukraine-IndicatorProcessor%2Fazuredeploy.json) +[](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FSolutions%2FRecorded%20Future%2FPlaybooks%2FRecordedFuture-Ukraine-IndicatorProcessor%2Fazuredeploy.json) + + +# Known Issues +## Version 2.5 +Sentinel playbook upgrade experience can result in the following error: ```Cannot read properties of null (reading 'parameters')``` + + +A workaround is to reinstall and overwrite the playbooks from the template in Playbook Template tab and not using the upgrade wizard. Before overwriting an active playbook make note of the risk list downloaded, the description, cadence of downloading. + diff --git a/Solutions/Recorded Future/ReleaseNotes.md b/Solutions/Recorded Future/ReleaseNotes.md new file mode 100644 index 00000000000..644f41118cb --- /dev/null +++ b/Solutions/Recorded Future/ReleaseNotes.md @@ -0,0 +1,9 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|---------------------------------------------| +| 3.0.0 | 20-09-2023 | Added workbooks for correlating Recorded Future and logs containing IoC of type IP, DNS, URL and HashGenerate Markdown/HTML response for enrichment comments.
Recorded Future Playbook Alerts playbook and workbook for visualization.
Recorded Future Classic Alerts playbook and workbook for visualization.
Leveraging ner API for importing threat indicators and deprecating old playbooks. | +| 2.4.0 | 29-05-2023 | Sandbox URL enrichment playbook included in the solution
Sandbox of outlook attachment playbook provided as an example outside the solution.
Sandbox of files in Azure storage accounts provided as example outside the solution.
Fix to IOC enrichment playbook don’t report 404 (not found) as an error. | +|2.3.0 | 13-02-2023 | Layout improvements to the incident enrichment playbook.
Added detections from collective insights to enrichment playbooks.
IncidentId and MITRE Att&ck code added to collective insights.
Fix for image in incident comment. | +| 2.2.2 | 23-01-2023 | Fixes for all risk list import playbooks. | +| 2.2.1 | 23-12-2022 | Display severity for risk rules in enrichment of IOCs.
Sorting of risk rules, showing very malicious rules first. | +| 2.2.0 | 14-12-2022 | Improvements to the incident enrichment playbook.
Added Recorded Future links to enrichment comment.
Improved layout of the enrichment, adding Recorded Future logo, table layout. | +| 2.1.0 | 20-09-2022 | Updated all playbooks to use RecordedFutureV2 connector, which requires new API keys.
Added playbooks for importing Ukraine Russia conflict risk lists. | diff --git a/Solutions/Recorded Future/SolutionMetadata.json b/Solutions/Recorded Future/SolutionMetadata.json index 2d4e41a6d1c..9bb1c83780a 100644 --- a/Solutions/Recorded Future/SolutionMetadata.json +++ b/Solutions/Recorded Future/SolutionMetadata.json @@ -2,7 +2,7 @@ "publisherId": "recordedfuture1605638642586", "offerId": "recorded_future_sentinel_solution", "firstPublishDate": "2021-11-01", - "lastPublishDate": "2023-05-08", + "lastPublishDate": "2023-09-19", "providers": ["Recorded Future"], "categories": { "domains": ["Security - Threat Intelligence"] diff --git a/Solutions/Recorded Future/Workbooks/Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting.json b/Solutions/Recorded Future/Workbooks/Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting.json deleted file mode 100644 index 50f76ea68ef..00000000000 --- a/Solutions/Recorded Future/Workbooks/Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting.json +++ /dev/null @@ -1,252 +0,0 @@ -{ - "version": "Notebook/1.0", - "items": [ - { - "type": 1, - "content": { - "json": "## Recorded Future - C&C DNS Name to DNS Events - Correlation/Threat Hunting\n\n" - }, - "name": "text - 0" - }, - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "5aaf92cc-3c1e-43f0-8a2f-18a79d7c1d5d", - "version": "KqlParameterItem/1.0", - "name": "DNS_Events_Time_Range", - "label": "DNS Events Time Range", - "type": 4, - "isRequired": true, - "value": { - "durationMs": 7776000000 - }, - "typeSettings": { - "selectableValues": [ - { - "durationMs": 300000 - }, - { - "durationMs": 900000 - }, - { - "durationMs": 1800000 - }, - { - "durationMs": 3600000 - }, - { - "durationMs": 14400000 - }, - { - "durationMs": 43200000 - }, - { - "durationMs": 86400000 - }, - { - "durationMs": 172800000 - }, - { - "durationMs": 259200000 - }, - { - "durationMs": 604800000 - }, - { - "durationMs": 1209600000 - }, - { - "durationMs": 2419200000 - }, - { - "durationMs": 2592000000 - }, - { - "durationMs": 5184000000 - }, - { - "durationMs": 7776000000 - } - ] - } - }, - { - "id": "eea9b6a5-76f4-4d3b-b62d-4f5e1c4173b6", - "version": "KqlParameterItem/1.0", - "name": "Threat_Intelligence_Time_Range", - "label": "Threat Intelligence Time Range", - "type": 4, - "isRequired": true, - "value": { - "durationMs": 7776000000 - }, - "typeSettings": { - "selectableValues": [ - { - "durationMs": 300000 - }, - { - "durationMs": 900000 - }, - { - "durationMs": 1800000 - }, - { - "durationMs": 3600000 - }, - { - "durationMs": 14400000 - }, - { - "durationMs": 43200000 - }, - { - "durationMs": 86400000 - }, - { - "durationMs": 172800000 - }, - { - "durationMs": 259200000 - }, - { - "durationMs": 604800000 - }, - { - "durationMs": 1209600000 - }, - { - "durationMs": 2419200000 - }, - { - "durationMs": 2592000000 - }, - { - "durationMs": 5184000000 - }, - { - "durationMs": 7776000000 - } - ] - } - } - ], - "style": "pills", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "parameters - 4" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let list_tlds = ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\r\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\r\n| where isnotempty(DomainName)\r\n| extend parts = split(DomainName, '.')\r\n| extend tld = parts[(array_length(parts)-1)]\r\n| summarize count() by tostring(tld)\r\n| summarize make_list(tld);\r\nThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Active == true\r\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\r\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\r\n// Picking up only IOC's that contain the entities we want\r\n| where isnotempty(DomainName)\r\n| join (\r\n DnsEvents\r\n | where TimeGenerated {DNS_Events_Time_Range:query}\r\n //Extract Domain patterns from syslog message\r\n | where isnotempty(Name)\r\n | extend parts = split(Name, '.')\r\n //Split out the TLD\r\n | extend tld = parts[(array_length(parts)-1)]\r\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\r\n | where tld in~ (list_tlds)\r\n | extend DNS_TimeGenerated = TimeGenerated\r\n) on $left.DomainName==$right.Name\r\n| summarize Correlation_Matches=count() by bin(DNS_TimeGenerated, 1d)\r\n| render barchart", - "size": 0, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "query - 1" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let list_tlds = ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\r\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\r\n| where isnotempty(DomainName)\r\n| extend parts = split(DomainName, '.')\r\n| extend tld = parts[(array_length(parts)-1)]\r\n| summarize count() by tostring(tld)\r\n| summarize make_list(tld);\r\nThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Active == true\r\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\r\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\r\n// Picking up only IOC's that contain the entities we want\r\n| where isnotempty(DomainName)\r\n| join (\r\n DnsEvents\r\n | where TimeGenerated {DNS_Events_Time_Range:query}\r\n //Extract Domain patterns from syslog message\r\n | where isnotempty(Name)\r\n | extend parts = split(Name, '.')\r\n //Split out the TLD\r\n | extend tld = parts[(array_length(parts)-1)]\r\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\r\n | where tld in~ (list_tlds)\r\n | extend DNS_TimeGenerated = TimeGenerated\r\n) on $left.DomainName==$right.Name\r\n| project Risk=ConfidenceScore, DomainName, ThreatType, AdditionalInformation\r\n| extend Evidence=parse_json(AdditionalInformation)['EvidenceDetails']\r\n| mv-expand Evidence\r\n| extend Rule=Evidence['Rule']\r\n| summarize count() by tostring(Rule)\r\n| sort by count_ desc\r\n\r\n", - "size": 0, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "count_", - "formatter": 8, - "formatOptions": { - "palette": "orange" - } - } - ], - "labelSettings": [ - { - "columnId": "Rule" - }, - { - "columnId": "count_", - "label": "Count" - } - ] - } - }, - "customWidth": "30", - "name": "query - 2" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "let list_tlds = ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\r\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\r\n| where isnotempty(DomainName)\r\n| extend parts = split(DomainName, '.')\r\n| extend tld = parts[(array_length(parts)-1)]\r\n| summarize count() by tostring(tld)\r\n| summarize make_list(tld);\r\nThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Active == true\r\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\r\n| where Description == 'Recorded Future - DOMAIN - C2 DNS Name'\r\n// Picking up only IOC's that contain the entities we want\r\n| where isnotempty(DomainName)\r\n| join (\r\n DnsEvents\r\n | where TimeGenerated {DNS_Events_Time_Range:query}\r\n //Extract Domain patterns from syslog message\r\n | where isnotempty(Name)\r\n | extend parts = split(Name, '.')\r\n //Split out the TLD\r\n | extend tld = parts[(array_length(parts)-1)]\r\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\r\n | where tld in~ (list_tlds)\r\n | extend DNS_TimeGenerated = TimeGenerated\r\n) on $left.DomainName==$right.Name\r\n| project Risk=ConfidenceScore, DomainName, Threat_Intelligence_IOC_Date = TimeGenerated, SourceIP=ClientIP, DNS_Event_Time = DNS_TimeGenerated, ThreatType, Device=Computer, AdditionalInformation\r\n| sort by Risk desc\r\n", - "size": 0, - "exportFieldName": "DomainName", - "exportParameterName": "IOC", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Risk", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": ">=", - "thresholdValue": "90", - "representation": "redBright", - "text": "{0}{1}" - }, - { - "operator": ">=", - "thresholdValue": "65", - "representation": "orange", - "text": "{0}{1}" - }, - { - "operator": ">=", - "thresholdValue": "25", - "representation": "yellow", - "text": "{0}{1}" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "blue", - "text": "{0}{1}" - } - ] - } - } - ] - }, - "sortBy": [] - }, - "customWidth": "70", - "name": "query - 3" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\n| where Description contains 'Recorded Future - DOMAIN - C2 DNS Name'\n| where DomainName == \"{IOC}\"\n| where ExpirationDateTime > now()\n| extend Evidence=parse_json(AdditionalInformation)['EvidenceDetails']\n| take 1\n| mv-expand Evidence\n| project Rules = Evidence['Rule'], Evidence_String = Evidence['EvidenceString'], Criticality = Evidence['Criticality']\n| sort by toint(Criticality) desc", - "size": 0, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "query - 5" - } - ], - "fromTemplateId": "sentinel-RecordedFuture-Domain-C2DNS-Workbook", - "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" -} \ No newline at end of file diff --git a/Solutions/Recorded Future/Workbooks/Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting.json b/Solutions/Recorded Future/Workbooks/Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting.json deleted file mode 100644 index 5ba062225f8..00000000000 --- a/Solutions/Recorded Future/Workbooks/Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting.json +++ /dev/null @@ -1,252 +0,0 @@ -{ - "version": "Notebook/1.0", - "items": [ - { - "type": 1, - "content": { - "json": "## Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation/Threat Hunting\n\n" - }, - "name": "text - 0" - }, - { - "type": 9, - "content": { - "version": "KqlParameterItem/1.0", - "parameters": [ - { - "id": "5aaf92cc-3c1e-43f0-8a2f-18a79d7c1d5d", - "version": "KqlParameterItem/1.0", - "name": "DNS_Events_Time_Range", - "label": "DNS Events Time Range", - "type": 4, - "isRequired": true, - "value": { - "durationMs": 7776000000 - }, - "typeSettings": { - "selectableValues": [ - { - "durationMs": 300000 - }, - { - "durationMs": 900000 - }, - { - "durationMs": 1800000 - }, - { - "durationMs": 3600000 - }, - { - "durationMs": 14400000 - }, - { - "durationMs": 43200000 - }, - { - "durationMs": 86400000 - }, - { - "durationMs": 172800000 - }, - { - "durationMs": 259200000 - }, - { - "durationMs": 604800000 - }, - { - "durationMs": 1209600000 - }, - { - "durationMs": 2419200000 - }, - { - "durationMs": 2592000000 - }, - { - "durationMs": 5184000000 - }, - { - "durationMs": 7776000000 - } - ] - } - }, - { - "id": "eea9b6a5-76f4-4d3b-b62d-4f5e1c4173b6", - "version": "KqlParameterItem/1.0", - "name": "Threat_Intelligence_Time_Range", - "label": "Threat Intelligence Time Range", - "type": 4, - "isRequired": true, - "value": { - "durationMs": 7776000000 - }, - "typeSettings": { - "selectableValues": [ - { - "durationMs": 300000 - }, - { - "durationMs": 900000 - }, - { - "durationMs": 1800000 - }, - { - "durationMs": 3600000 - }, - { - "durationMs": 14400000 - }, - { - "durationMs": 43200000 - }, - { - "durationMs": 86400000 - }, - { - "durationMs": 172800000 - }, - { - "durationMs": 259200000 - }, - { - "durationMs": 604800000 - }, - { - "durationMs": 1209600000 - }, - { - "durationMs": 2419200000 - }, - { - "durationMs": 2592000000 - }, - { - "durationMs": 5184000000 - }, - { - "durationMs": 7776000000 - } - ] - } - } - ], - "style": "pills", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "parameters - 4" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Description contains 'Recorded Future - IP - Actively Communicating C&C Server'\r\n| join (\r\n DnsEvents | where TimeGenerated {DNS_Events_Time_Range:query}\r\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\r\n | extend SingleIP = split(IPAddresses, \",\")\r\n | mvexpand SingleIP\r\n | extend SingleIP = tostring(SingleIP)\r\n // renaming time column so it is clear the log this came from\r\n | extend DNS_TimeGenerated = TimeGenerated\r\n)\r\non $left.NetworkIP == $right.SingleIP\r\n| summarize Correlation_Matches=count() by bin(DNS_TimeGenerated, 1d)\r\n| render barchart", - "size": 0, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "query - 1" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Description contains 'Recorded Future - IP - Actively Communicating C&C Server'\r\n| join (\r\n DnsEvents | where TimeGenerated {DNS_Events_Time_Range:query}\r\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\r\n | extend SingleIP = split(IPAddresses, \",\")\r\n | mvexpand SingleIP\r\n | extend SingleIP = tostring(SingleIP)\r\n // renaming time column so it is clear the log this came from\r\n | extend DNS_TimeGenerated = TimeGenerated\r\n)\r\non $left.NetworkIP == $right.SingleIP\r\n| project Risk=ConfidenceScore, NetworkIP, ThreatType, AdditionalInformation\r\n| extend Evidence=parse_json(AdditionalInformation)['EvidenceDetails']\r\n| mv-expand Evidence\r\n| extend Rule=Evidence['Rule']\r\n| summarize count() by tostring(Rule)\r\n| sort by count_ desc\r\n\r\n", - "size": 0, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "count_", - "formatter": 8, - "formatOptions": { - "palette": "orange" - } - } - ], - "labelSettings": [ - { - "columnId": "Rule" - }, - { - "columnId": "count_", - "label": "Count" - } - ] - } - }, - "customWidth": "30", - "name": "query - 2" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Description contains 'Recorded Future - IP - Actively Communicating C&C Server'\r\n| join (\r\n DnsEvents | where TimeGenerated {DNS_Events_Time_Range:query}\r\n | where SubType =~ \"LookupQuery\" and isnotempty(IPAddresses)\r\n | extend SingleIP = split(IPAddresses, \",\")\r\n | mvexpand SingleIP\r\n | extend SingleIP = tostring(SingleIP)\r\n // renaming time column so it is clear the log this came from\r\n | extend DNS_TimeGenerated = TimeGenerated\r\n)\r\non $left.NetworkIP == $right.SingleIP\r\n| project Risk=ConfidenceScore, DestinationIP=NetworkIP, Threat_Intelligence_IOC_Date = TimeGenerated, SourceIP=ClientIP, DNS_Event_Time = DNS_TimeGenerated, ThreatType, Device=Computer, AdditionalInformation\r\n| sort by Risk desc\r\n", - "size": 0, - "exportFieldName": "DestinationIP", - "exportParameterName": "IOC", - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces", - "gridSettings": { - "formatters": [ - { - "columnMatch": "Risk", - "formatter": 18, - "formatOptions": { - "thresholdsOptions": "colors", - "thresholdsGrid": [ - { - "operator": ">=", - "thresholdValue": "90", - "representation": "redBright", - "text": "{0}{1}" - }, - { - "operator": ">=", - "thresholdValue": "65", - "representation": "orange", - "text": "{0}{1}" - }, - { - "operator": ">=", - "thresholdValue": "25", - "representation": "yellow", - "text": "{0}{1}" - }, - { - "operator": "Default", - "thresholdValue": null, - "representation": "blue", - "text": "{0}{1}" - } - ] - } - } - ] - }, - "sortBy": [] - }, - "customWidth": "70", - "name": "query - 3" - }, - { - "type": 3, - "content": { - "version": "KqlItem/1.0", - "query": "ThreatIntelligenceIndicator\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\n| where Description contains 'Recorded Future - IP - Actively Communicating C&C Server'\n| where NetworkIP == \"{IOC}\"\n| where ExpirationDateTime > now()\n| extend Evidence=parse_json(AdditionalInformation)['EvidenceDetails']\n| take 1\n| mv-expand Evidence\n| project Rules = Evidence['Rule'], Evidence_String = Evidence['EvidenceString'], Criticality = Evidence['Criticality']\n| sort by toint(Criticality) desc", - "size": 0, - "queryType": 0, - "resourceType": "microsoft.operationalinsights/workspaces" - }, - "name": "query - 5" - } - ], - "fromTemplateId": "sentinel-RecordedFuture-IP-ActiveC2-Workbook", - "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" -} diff --git a/Solutions/Recorded Future/Workbooks/RecordedFutureAlertOverview.json b/Solutions/Recorded Future/Workbooks/RecordedFutureAlertOverview.json new file mode 100644 index 00000000000..6e5f253630e --- /dev/null +++ b/Solutions/Recorded Future/Workbooks/RecordedFutureAlertOverview.json @@ -0,0 +1,328 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "## Recorded Future Alerts\n---\n\nWorkbook to display and analyze Recorded Future Alerts. This workbook visualize data that is retrived by the ```Recorded Future Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePortalAlerts_CL table.", + "style": "info" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "8e8c2f1a-d25d-49d1-a217-9831dbc4f919", + "version": "KqlParameterItem/1.0", + "name": "time_picker", + "label": "Time Picker", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 86400000 + } + }, + { + "id": "f8d34a51-ba10-4241-abff-cb6c14b50a55", + "version": "KqlParameterItem/1.0", + "name": "log_table", + "label": "Alerts Log Table", + "type": 2, + "isRequired": true, + "query": "search \"*\" | summarize count() by $table | sort by count_ desc | where $table endswith \"CL\" | project $table", + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "time_picker", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "RecordedFuturePortalAlerts_CL" + }, + { + "id": "89279a9c-af9e-4734-8a98-21aa1f2fa545", + "version": "KqlParameterItem/1.0", + "name": "alert_rules", + "label": "Alert Rules", + "type": 2, + "description": "Filter alert rules you're looking at", + "isRequired": true, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "{log_table}\n| distinct RuleName_s", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "time_picker", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": [ + "value::all" + ] + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{log_table:value}\n| where RuleName_s in ({alert_rules:value})\n| distinct AlertID_s, RuleName_s, Triggered_t\n| summarize alert_count = count() by RuleName_s\n| project alert_count, Alert = RuleName_s\n", + "size": 0, + "title": "Top Rules Triggered", + "noDataMessage": "There are no alerts within this time frame.", + "timeContextFromParameter": "time_picker", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{log_table:value}\n| where RuleName_s in ({alert_rules:value})\n| distinct AlertID_s, RuleName_s, Triggered_t\n| summarize Alert=count() by bin(Triggered_t, 1h)\n", + "size": 0, + "title": "Alerts triggered over time", + "timeContextFromParameter": "time_picker", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "customWidth": "50", + "name": "query - 2 - Copy", + "styleSettings": { + "maxWidth": "70" + } + }, + { + "type": 11, + "content": { + "version": "LinkItem/1.0", + "style": "tabs", + "links": [ + { + "id": "20edde78-9485-4056-8eca-6ef7cd86c8b5", + "cellValue": "TAB", + "linkTarget": "parameter", + "linkLabel": "Alert", + "subTarget": "Reference", + "preText": "Some thing", + "postText": "Some thing", + "style": "link" + } + ] + }, + "name": "links - 5" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{log_table:value}\n| where RuleName_s in ({alert_rules:value})\n//| where Documents_s != \"[]\"\n//| distinct AlertID_s, AlertName_s, Documents_s, Entity_description_s, Entity_id_s, Entity_name_s, Entity_type_s, Risk_criticalityLabel_s, \n//Risk_criticality_d, Risk_documents_s, Risk_evidence_s, RuleName_s, Trend_documents_s, Trend_name_s, Trend_strengthLabel_s, Trend_strength_d, Triggered_t\n| distinct Triggered = Triggered_t, [\"Alert ID\"]=AlertID_s, [\"Alert Name\"]=AlertName_s, [\"Rule Name\"]=RuleName_s, [\"External Link\"]= URL_s\n\n\n\n", + "size": 0, + "timeContextFromParameter": "time_picker", + "exportFieldName": "Alert ID", + "exportParameterName": "Ref_AlertID", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "External Link", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Recorded Future" + } + }, + { + "columnMatch": "Recorded Future Portal", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url" + } + }, + { + "columnMatch": "URL", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Recorded Future" + } + } + ], + "sortBy": [ + { + "itemKey": "Triggered", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "Triggered", + "sortOrder": 2 + } + ] + }, + "name": "query - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{log_table:value}\n| where AlertID_s == \"{Ref_AlertID}\"\n| project Fragment=Fragment_s, Source=Documents_source_name_s, Title=Documents_title_s, URL=Document_url_s, AlertName = RuleName_s, AlertID=AlertID_s, entities=parse_json(Entity_s)\n| mv-apply with_itemindex=i entities on (\n extend p = pack(strcat(\"Entity \", i+1), strcat(entities.type, \", \", entities.name, \", id:\", entities.id))\n | summarize b = make_bag(p)\n)\n| evaluate bag_unpack(b)\n| project-reorder Fragment, Source, Title, URL, Entity*\n\n", + "size": 0, + "timeContextFromParameter": "time_picker", + "exportedParameters": [ + { + "fieldName": "Fragment", + "parameterName": "FragmentRef", + "parameterType": 1 + }, + { + "fieldName": "Title", + "parameterName": "TitleRef", + "parameterType": 1 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Fragment", + "formatter": 7, + "formatOptions": { + "linkTarget": "GenericDetails", + "linkIsContextBlade": true + }, + "tooltipFormat": { + "tooltip": "{0}" + } + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "TAB", + "comparison": "isEqualTo", + "value": "Reference" + }, + "name": "Reference View" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "**Document Title**\r\n{TitleRef}" + }, + "name": "text - 3" + }, + { + "type": 1, + "content": { + "json": "**Fragment**\r\n{FragmentRef}\r\n\r\n\r\n" + }, + "showPin": false, + "name": "Fragment" + } + ] + }, + "name": "group - 4" + } + ] + }, + "conditionalVisibility": { + "parameterName": "TAB", + "comparison": "isEqualTo", + "value": "Reference" + }, + "name": "Reference Alerts" + } + ], + "fromTemplateId": "sentinel-RecordedFutureAlertOverviewWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/Recorded Future/Workbooks/RecordedFutureDomainCorrelation.json b/Solutions/Recorded Future/Workbooks/RecordedFutureDomainCorrelation.json new file mode 100644 index 00000000000..dc50bc748d0 --- /dev/null +++ b/Solutions/Recorded Future/Workbooks/RecordedFutureDomainCorrelation.json @@ -0,0 +1,473 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217", + "version": "KqlParameterItem/1.0", + "name": "Help", + "label": "Show Guide", + "type": 10, + "isRequired": true, + "jsonData": "[\n {\"value\": \"Yes\", \"label\": \"Yes\", \"selected\":true},\n {\"value\": \"No\", \"label\": \"No\"}\n]", + "timeContext": { + "durationMs": 86400000 + }, + "value": "No" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 7" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### Guide: Domain Correlation \n\nRecorded Future’s Domain Correlation Workbook helps you detect malicious domains within your environment by correlating your logs with Recorded Future Domain Risk Lists.\n\n### How to Correlate Domains\n\nTo correlate domains, follow the steps below:\n\n1. In the **Domain Logs Table** dropdown, select a log table that contains domain logs.\n\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\n2. In the **Log field with domains** dropdown, select the log field that holds the domains to be correlated.\n\t* The workbook can correlate domains in the format: `domainName.net`.\n3. Select a Recorded Future Domain Risk List for correlation.\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\n5. Done\n\n---\n\n#### Log table with examples of correlatable log fields\n\n| Table \t | Field |\n| ----------- \t | ----------- |\n| DNSEvents | Name |\n| _Im_Dns \t | DnsQuery |", + "style": "info" + }, + "name": "text - 0" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "group - 15" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### Domains (from logs)" + }, + "customWidth": "50", + "name": "text - 2" + }, + { + "type": 1, + "content": { + "json": "### Recorded Future Risk List" + }, + "customWidth": "50", + "name": "text - 3" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "b91b8b5b-10cf-4106-99e2-793eb0d72dce", + "version": "KqlParameterItem/1.0", + "name": "Domain_Logs_Time_Range", + "label": "Logs from", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 604800000 + } + }, + { + "id": "3300ad41-acbc-4ebd-900a-c6ab250b7c73", + "version": "KqlParameterItem/1.0", + "name": "Domain_Logs_Table", + "label": "Domain Logs Table", + "type": 2, + "description": "Log Table to correlate Domains Against", + "isRequired": true, + "query": "search \"*\" \n| where TimeGenerated {Domain_Logs_Time_Range:query}\n| summarize count() by $table \n| sort by count_ desc \n| where $table != \"ThreatIntelligenceIndicator\" \n| project $table\n", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "Squid_Proxy_URL_CL" + }, + { + "id": "f4f77ada-b97c-4a82-9421-20a58fb7ce26", + "version": "KqlParameterItem/1.0", + "name": "Domain_Logs_Field", + "label": "Log Field with Domains", + "type": 2, + "description": "Select the field containing the Domain Name that you want to correlate against", + "isRequired": true, + "query": "{Domain_Logs_Table:value}\n| getschema\n| where DataType == \"System.String\"\n| project ColumnName", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "Domain_s" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "parameters - 0" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "95e78560-1e69-437c-8226-7b0f8c4dc199", + "version": "KqlParameterItem/1.0", + "name": "Threat_Intelligence_Time_Range", + "label": "Data from", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "value": { + "durationMs": 604800000 + } + }, + { + "id": "e7c7e2ea-f5b3-4505-b64c-b18ca8561168", + "version": "KqlParameterItem/1.0", + "name": "RF_Risk_list", + "label": "Risk List", + "type": 2, + "description": "Which Domain Risk List do you want to correlate against", + "isRequired": true, + "query": "ThreatIntelligenceIndicator\n| where isnotempty(DomainName)\n| where Description contains \"Recorded Future\"\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\n| summarize count() by Description\n| project output = strcat('\"', Description, '\"')\n", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "\"Recorded Future - DOMAIN - Default RiskList\"" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "parameters - 1" + } + ], + "exportParameters": true + }, + "name": "group - 10" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "\n### Guide: Detected Domains Per Day\n\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.", + "style": "info" + }, + "customWidth": "100", + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "text - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let list_tlds = ThreatIntelligenceIndicator\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == {RF_Risk_list:value}\n| where isnotempty(DomainName)\n| where isnotempty(Tags)\n| extend parts = split(DomainName, '.')\n| extend tld = parts[(array_length(parts)-1)]\n| summarize count() by tostring(tld)\n| summarize make_list(tld);\nThreatIntelligenceIndicator\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\n| where Active == true\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\n| where Description == {RF_Risk_list:value}\n// Picking up only IOC's that contain the entities we want\n| where isnotempty(DomainName)\n| where isnotempty(Tags)\n| join (\n {Domain_Logs_Table:value}\n | where TimeGenerated {Domain_Logs_Time_Range:query}\n //Extract Domain patterns from syslog message\n | where isnotempty({Domain_Logs_Field:value})\n | extend parts = split({Domain_Logs_Field:value}, '.')\n //Split out the TLD\n | extend tld = parts[(array_length(parts)-1)]\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\n | where tld in~ (list_tlds)\n | extend DNS_TimeGenerated = TimeGenerated\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\n| summarize Correlation_Matches=count() by bin(DNS_TimeGenerated, 1d)\n| render barchart", + "size": 0, + "title": "Detected Domains Per Day", + "noDataMessage": "No detected domains", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "100", + "name": "query - 1" + } + ] + }, + "customWidth": "100", + "name": "group - 14" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "\n### Guide: Detected Domains\n\nThe Detected Domains table lists domains from the correlated logs that have been matched with Recorded Future Domain Risk Lists.\n\n**Table Columns**\n\n* **Risk Score:** The Recorded Future Risk Score for the domain (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\n* **Domain:** The detected domain.\n* **Detected:** The time when the log was correlated with a Risk List.\n* **Log Created:** The time when the log event itself was created.\n* **Threat Classification:** The type of threat associated with the domain (IOC).", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "text - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let list_tlds = ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\r\n| where Description == {RF_Risk_list:value}\r\n| where isnotempty(DomainName)\r\n| where isnotempty(Tags)\r\n| extend parts = split(DomainName, '.')\r\n| extend tld = parts[(array_length(parts)-1)]\r\n| summarize count() by tostring(tld)\r\n| summarize make_list(tld);\r\nThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Active == true\r\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\r\n| where Description == {RF_Risk_list:value}\r\n// Picking up only IOC's that contain the entities we want\r\n| where isnotempty(DomainName)\r\n| join (\r\n {Domain_Logs_Table:value}\r\n | where TimeGenerated {Domain_Logs_Time_Range:query}\r\n //Extract Domain patterns from syslog message\r\n | where isnotempty({Domain_Logs_Field:value})\r\n | extend parts = split({Domain_Logs_Field:value}, '.')\r\n //Split out the TLD\r\n | extend tld = parts[(array_length(parts)-1)]\r\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\r\n | where tld in~ (list_tlds)\r\n | extend DNS_TimeGenerated = TimeGenerated\r\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\r\n| project [\"Risk Score\"]=ConfidenceScore, Domain=DomainName, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\"Log Created\"]=format_datetime(DNS_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\"Threat Classification\"]=ThreatType\r\n| summarize [\"Log Created\"]=max([\"Log Created\"]) by Domain, [\"Risk Score\"], Detected, [\"Threat Classification\"]\r\n| project [\"Risk Score\"], Domain, Detected, [\"Log Created\"], [\"Threat Classification\"]\r\n| sort by [\"Risk Score\"] desc", + "size": 0, + "title": "Detected Domains", + "noDataMessage": "No detected domains", + "exportFieldName": "Domain", + "exportParameterName": "MaliciousDomainMatch", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Risk", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": ">=", + "thresholdValue": "90", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "65", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "25", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "blue", + "text": "{0}{1}" + } + ] + } + } + ] + } }, + "customWidth": "70", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "let list_tlds = ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\r\n| where Description == {RF_Risk_list:value}\r\n| where isnotempty(DomainName)\r\n| where isnotempty(Tags)\r\n| extend parts = split(DomainName, '.')\r\n| extend tld = parts[(array_length(parts)-1)]\r\n| summarize count() by tostring(tld)\r\n| summarize make_list(tld);\r\nThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Active == true\r\n// Picking up only Recorded Future IOC's that are pertinent to the use case (Malware C2 Detection)\r\n| where Description == {RF_Risk_list:value}\r\n// Picking up only IOC's that contain the entities we want\r\n| where isnotempty(DomainName)\r\n| where isnotempty(Tags)\r\n| join (\r\n {Domain_Logs_Table:value}\r\n | where TimeGenerated {Domain_Logs_Time_Range:query}\r\n //Extract Domain patterns from syslog message\r\n | where isnotempty({Domain_Logs_Field:value})\r\n | extend parts = split({Domain_Logs_Field:value}, '.')\r\n //Split out the TLD\r\n | extend tld = parts[(array_length(parts)-1)]\r\n //Validate parsed Domain by checking if the TLD is in the list of TLDs in our threat feed\r\n | where tld in~ (list_tlds)\r\n | extend DNS_TimeGenerated = TimeGenerated\r\n) on $left.DomainName==$right.{Domain_Logs_Field:value}\r\n| project Risk=ConfidenceScore, DomainName, ThreatType, Tags\r\n| extend Evidence=parse_json(Tags)[0]\r\n| mv-expand Evidence = parse_json(tostring(Evidence))\r\n| extend Rule=Evidence['Rule']\r\n| summarize count() by tostring(Rule)\r\n| sort by count_ desc\r\n\r\n", + "size": 0, + "title": "Top Triggered Risk Rules", + "noDataMessage": "No triggered Risk Rules", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "orange" + } + } + ], + "labelSettings": [ + { + "columnId": "count_", + "label": "Count" + } + ] + } + }, + "customWidth": "30", + "name": "query - 2" + }, + { + "type": 1, + "content": { + "json": "### Detected Domains: Evidence Details\n\nTo view evidence details, click a row (domain) in the Detected Domains table." + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\n| where Description contains {RF_Risk_list:value}\n| where DomainName == \"{MaliciousDomainMatch}\"\n| where isnotempty(Tags)\n//| where ExpirationDateTime > now()\n| extend Evidence=parse_json(Tags)[0]\n| take 1\n| mv-expand Evidence = parse_json(tostring(Evidence))\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString'] \n| sort by toint(Criticality) desc", + "size": 1, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Evidence_String", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "70%" + } + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "MaliciousDomainMatch", + "comparison": "isNotEqualTo" + }, + "name": "query - 3" + }, + { + "type": 1, + "content": { + "json": "\n### Source data from {Domain_Logs_Table:value}\nTo view source data of correlated domain, click a row (domain) in the Detected Domains table." + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{Domain_Logs_Table:value}\n| where TimeGenerated {Domain_Logs_Time_Range:query}\n| where {Domain_Logs_Field:value} == \"{MaliciousDomainMatch}\"\n", + "size": 1, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "MaliciousDomainMatch", + "comparison": "isNotEqualTo", + "value": "" + }, + "name": "query - 1" + } + ] + }, + "name": "group - 8" + } + ], + "styleSettings": { + "paddingStyle": "wide" + }, + "fromTemplateId": "sentinel-RecordedFutureDomainCorrelationWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/Recorded Future/Workbooks/RecordedFutureHashCorrelation.json b/Solutions/Recorded Future/Workbooks/RecordedFutureHashCorrelation.json new file mode 100644 index 00000000000..060f2dce248 --- /dev/null +++ b/Solutions/Recorded Future/Workbooks/RecordedFutureHashCorrelation.json @@ -0,0 +1,465 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217", + "version": "KqlParameterItem/1.0", + "name": "Help", + "label": "🔎 Guide", + "type": 10, + "isRequired": true, + "jsonData": "[\n {\"value\": \"Yes\", \"label\": \"Yes\", \"selected\":true},\n {\"value\": \"No\", \"label\": \"No\"}\n]", + "timeContext": { + "durationMs": 86400000 + }, + "value": "No" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 7" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### Guide: Hash Correlation \n\nRecorded Future’s Hash Correlation Workbook helps you detect malicious hashes within your environment by correlating your logs with Recorded Future Hash Risk Lists.\n\n### How to Correlate hashs\n\nTo correlate hashes, follow the steps below:\n\n1. In the **Hash Logs Table** dropdown, select a log table that contains hash logs.\n\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\n2. In the **Log field with hashes** dropdown, select the log field that holds the hashs to be correlated.\n\t* The workbook can correlate hashes in the format: `b0a0c7ae387c00161f4cc26405600b1a`.\n3. Select a Recorded Future Hash Risk List for correlation.\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\n5. Done\n\n---\n\n#### Log table with examples of correlatable log fields\n| Table \t \t| Field |\n| ----------- \t \t| ----------- |\n| CommonSecurityLog | FileHash |\n| SecurityEvent \t| FileHash |", + "style": "info" + }, + "name": "text - 0" + } + ] + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "group - 15" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### Hashes (from logs)" + }, + "customWidth": "50", + "name": "text - 2" + }, + { + "type": 1, + "content": { + "json": "### Recorded Future Risk List" + }, + "customWidth": "50", + "name": "text - 3" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "b91b8b5b-10cf-4106-99e2-793eb0d72dce", + "version": "KqlParameterItem/1.0", + "name": "Hash_Logs_Time_Range", + "label": "Logs from", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 1209600000 + } + }, + { + "id": "3300ad41-acbc-4ebd-900a-c6ab250b7c73", + "version": "KqlParameterItem/1.0", + "name": "Hash_Logs_Table", + "label": "Hash Logs Table", + "type": 2, + "description": "Log Table to correlate Domains Against", + "isRequired": true, + "query": "search \"*\" \n| where TimeGenerated {Hash_Logs_Time_Range:query}\n| summarize count() by $table | sort by count_ desc | where $table != \"ThreatIntelligenceIndicator\" | project $table\n", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "EndpointProtection_HASH_CL" + }, + { + "id": "f4f77ada-b97c-4a82-9421-20a58fb7ce26", + "version": "KqlParameterItem/1.0", + "name": "Hash_Logs_Field", + "label": "Log Field with Hashes", + "type": 2, + "description": "Select the field containing the Domain Name that you want to correlate against", + "isRequired": true, + "query": "{Hash_Logs_Table:value}\n| getschema\n| where DataType == \"System.String\"\n| project ColumnName", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "Hash_s" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "parameters - 0" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "95e78560-1e69-437c-8226-7b0f8c4dc199", + "version": "KqlParameterItem/1.0", + "name": "Threat_Intelligence_Time_Range", + "label": "Data from", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "value": { + "durationMs": 1209600000 + } + }, + { + "id": "e7c7e2ea-f5b3-4505-b64c-b18ca8561168", + "version": "KqlParameterItem/1.0", + "name": "RF_Risk_list", + "label": "Risk List", + "type": 2, + "description": "Which Domain Risk List do you want to correlate against", + "isRequired": true, + "query": "ThreatIntelligenceIndicator\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\n| where isnotempty(FileHashValue)\n| where Description contains \"Recorded Future\"\n| summarize count() by Description\n| project output = strcat('\"', Description, '\"')\n", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "\"Recorded Future - HASH - Observed in Underground Virus Testing Sites\"" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "parameters - 1" + } + ], + "exportParameters": true + }, + "name": "group - 10" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "\n### Guide: Detected Domains Per Day\n\nThe chart displays the number of correlation detections per day between domain logs and Recorded Future's domain Risk lists.", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "text - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query} \r\n| where Description == {RF_Risk_list:value}\r\n| where isnotempty(Tags)\r\n| extend FileHashValue = tolower(FileHashValue)\r\n| join (\r\n {Hash_Logs_Table:value}\r\n | where TimeGenerated {Hash_Logs_Time_Range:query}\r\n // renaming time column so it is clear the log this came from\r\n | extend Hash_TimeGenerated = TimeGenerated\r\n)\r\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\r\n| summarize Correlation_Matches=count() by bin(Hash_TimeGenerated, 1d)\r\n| render barchart", + "size": 0, + "title": "Detected File Hashes Per Day", + "noDataMessage": "No detected hashes", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 1" + } + ] + }, + "name": "group - 11" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "\n### Guide: Detected Hashs\n\nThe Detected Hashs table lists hashs from the correlated logs that have been matched with Recorded Future Hash Risk Lists.\n\n**Table Columns**\n\n* **Risk Score:** The Recorded Future Risk Score for the Hashe (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\n* **Hash:** The detected hash.\n* **Detected:** The time when the log was correlated with a Risk List.\n* **Log Created:** The time when the log event itself was created.\n* **Threat Classification:** The type of threat associated with the hash (IOC).", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "text - 1" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Description contains {RF_Risk_list:value}\r\n| where isnotempty(Tags)\r\n| extend FileHashValue = tolower(FileHashValue)\r\n| join (\r\n {Hash_Logs_Table:value}\r\n | where TimeGenerated {Hash_Logs_Time_Range:query}\r\n // renaming time column so it is clear the log this came from\r\n | extend Hash_TimeGenerated = TimeGenerated\r\n)\r\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\r\n| project [\"Risk Score\"]=ConfidenceScore, Hash=FileHashValue, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\"Log Created\"] = format_datetime(Hash_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\"Threat Classification\"]=ThreatType\r\n| summarize [\"Log Created\"]=max([\"Log Created\"]) by Hash, [\"Risk Score\"], Detected, [\"Threat Classification\"]\r\n| project [\"Risk Score\"], Hash, Detected, [\"Log Created\"], [\"Threat Classification\"]\r\n| sort by [\"Risk Score\"] desc\r\n", + "size": 0, + "title": "Detected Hashes", + "noDataMessage": "No detected hashes", + "exportedParameters": [ + { + "fieldName": "Hash", + "parameterName": "MaliciousHashMatch", + "parameterType": 5 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Risk", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": ">=", + "thresholdValue": "90", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "65", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "25", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "blue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "70", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Description contains {RF_Risk_list:value}\r\n| where isnotempty(Tags)\r\n| extend FileHashValue = tolower(FileHashValue)\r\n| join (\r\n {Hash_Logs_Table:value}\r\n | where TimeGenerated {Hash_Logs_Time_Range:query}\r\n // renaming time column so it is clear the log this came from\r\n | extend Hash_TimeGenerated = TimeGenerated\r\n)\r\non $left.FileHashValue == $right.{Hash_Logs_Field:value}\r\n| project Risk=ConfidenceScore, FileHashValue, ThreatType, Tags\r\n| extend Evidence=parse_json(Tags)[0]\r\n| mv-expand Evidence = parse_json(tostring(Evidence))\r\n| extend Rule=Evidence['Rule']\r\n| summarize count() by tostring(Rule)\r\n| sort by count_ desc\r\n\r\n", + "size": 0, + "title": "Top Triggered Risk Rules", + "noDataMessage": "No triggered Risk Rules", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "orange" + } + } + ], + "labelSettings": [ + { + "columnId": "count_", + "label": "Count" + } + ] + } + }, + "customWidth": "30", + "name": "query - 2" + }, + { + "type": 1, + "content": { + "json": "### Detected Hashes: Evidence Details\n\nTo view evidence details, click a row (hash) in the Detected Hashes table." + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\n| where Description contains {RF_Risk_list:value}\n| extend FileHashValue = tolower(FileHashValue)\n| where FileHashValue == \"{MaliciousHashMatch}\"\n| where isnotempty(Tags)\n//| where ExpirationDateTime > now()\n| extend Evidence=parse_json(Tags)[0]\n| take 1\n| mv-expand Evidence = parse_json(tostring(Evidence))\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\n| sort by toint(Criticality) desc", + "size": 1, + "noDataMessage": "No evidence details to show", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "MaliciousHashMatch", + "comparison": "isNotEqualTo" + }, + "name": "query - 5" + }, + { + "type": 1, + "content": { + "json": "\n### Source data from {Hash_Logs_Table:value}\n\nTo view source data of correlated hash, click a row (hash) in the Detected Hashes table." + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{Hash_Logs_Table:value}\n| where TimeGenerated {Hash_Logs_Time_Range:query}\n| where {Hash_Logs_Field:value} == \"{MaliciousHashMatch}\"\n", + "size": 1, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "MaliciousHashMatch", + "comparison": "isNotEqualTo" + }, + "name": "query - 6" + } + ] + }, + "name": "group - 8" + } + ], + "styleSettings": { + "paddingStyle": "wide" + }, + "fromTemplateId": "sentinel-RecordedFutureHashCorrelationWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/Recorded Future/Workbooks/RecordedFutureIPCorrelation.json b/Solutions/Recorded Future/Workbooks/RecordedFutureIPCorrelation.json new file mode 100644 index 00000000000..213a79840be --- /dev/null +++ b/Solutions/Recorded Future/Workbooks/RecordedFutureIPCorrelation.json @@ -0,0 +1,481 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "041885bf-2e2c-42ae-ad35-2e12272b4dc4", + "version": "KqlParameterItem/1.0", + "name": "Help", + "label": "Show Guide", + "type": 10, + "isRequired": true, + "typeSettings": { + "additionalResourceOptions": "[variables('TemplateEmptyArray')]" + }, + "jsonData": "[\n {\"value\": \"Yes\", \"label\": \"Yes\", \"selected\":true},\n {\"value\": \"No\", \"label\": \"No\"}\n]", + "timeContext": { + "durationMs": 86400000 + }, + "value": "No" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 6" + }, + { + "type": 1, + "content": { + "json": "### Guide: IP Correlation \n\nRecorded Future’s IP Correlation Workbook helps you detect malicious IPs within your environment by correlating your logs with Recorded Future IP Risk Lists.\n\n### How to Correlate IPs\n\nTo correlate IPs, follow the steps below:\n\n1. In the **IP Logs Table** dropdown, select a log table that contains IP logs.\n\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\n2. In the **Log field with IPs** dropdown, select the log field that holds the IPs to be correlated.\n\t* The workbook can correlate IPs in the format: `5.56.61.62`.\n3. Select a Recorded Future IP Risk List for correlation.\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\n5. Done\n\n---\n\n#### Log table with examples of correlatable log fields\n\n\n| Table | Field | Table | Field |\n|------------------------------|--------------------|---------------------------------|-----------|\n| AzureActivity | CallerIpAddress | VMConnection | RemoteIp |\n| AzureDiagnostics | CallerIPAddress | W3CIISLog | cIP |\n| AWSCloudTrail | SourceIpAddress | _Im_NetworkSession | SrcIpAddr |\n| AppServiceHTTPLogs | CIp | _Im_NetworkSession | DstIpAddr |\n| AzureDiagnostics | client_ip_s | _Im_WebSession | SrcIpAddr |\n| CommonSecurityLog | SourceIpAddress | SigninLogs | IPAddress |\n| CommonSecurityLog | DestinationIP | AADNonInteractiveUserSignInLogs | IPAddress |\n| DuoSecurityAuthentication_CL | access_device_ip_s | | |", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "text - 11" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### IP (from logs)" + }, + "customWidth": "50", + "name": "text - 2" + }, + { + "type": 1, + "content": { + "json": "### Recorded Future Risk List" + }, + "customWidth": "50", + "name": "text - 3" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "b91b8b5b-10cf-4106-99e2-793eb0d72dce", + "version": "KqlParameterItem/1.0", + "name": "IP_Logs_Time_Range", + "label": "Logs from", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 7776000000 + } + }, + { + "id": "3300ad41-acbc-4ebd-900a-c6ab250b7c73", + "version": "KqlParameterItem/1.0", + "name": "IP_Logs_Table", + "label": "IP Logs Table", + "type": 2, + "description": "Log Table to correlate IPs Against", + "isRequired": true, + "query": "search * \n| where TimeGenerated {IP_Logs_Time_Range:query}\n| summarize count() by $table \n| sort by count_ desc \n| where $table != \"ThreatIntelligenceIndicator\" \n| project $table\n", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "NetScreen_Firewall_CL" + }, + { + "id": "f4f77ada-b97c-4a82-9421-20a58fb7ce26", + "version": "KqlParameterItem/1.0", + "name": "IP_Logs_Field", + "label": "Log Field with IPs", + "type": 2, + "description": "Select the field containing the IP that you want to correlate against", + "isRequired": true, + "query": "{IP_Logs_Table:value}\n| where TimeGenerated {IP_Logs_Time_Range:query}\n| getschema\n| where DataType == \"System.String\"\n| project ColumnName", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "Dst_IPv4_s" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "parameters - 0" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "95e78560-1e69-437c-8226-7b0f8c4dc199", + "version": "KqlParameterItem/1.0", + "name": "Threat_Intelligence_Time_Range", + "label": "Data from", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "value": { + "durationMs": 5184000000 + } + }, + { + "id": "e7c7e2ea-f5b3-4505-b64c-b18ca8561168", + "version": "KqlParameterItem/1.0", + "name": "RF_Risk_list", + "label": "Risk List", + "type": 2, + "description": "Which IP Risk List do you want to correlate against", + "isRequired": true, + "query": "ThreatIntelligenceIndicator\n| where isnotempty(NetworkIP)\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\n| where Description contains \"Recorded Future\"\n//| summarize count() by Description\n| distinct Description\n| project output = strcat('\"', Description, '\"')\n", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "\"Recorded Future - IP - Actively Communicating C&C Server\"" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "parameters - 1" + } + ], + "exportParameters": true + }, + "name": "group - 10" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "\n### Guide: Detected IPs Per Day\n\nThe chart displays the number of correlation detections per day between IP logs and Recorded Future's IP Risk lists.", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "text - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Description contains {RF_Risk_list:value}\r\n| where isnotempty(Tags)\r\n| join (\r\n {IP_Logs_Table:value}\r\n | where TimeGenerated {IP_Logs_Time_Range:query}\r\n // renaming time column so it is clear the log this came from\r\n | extend IP_TimeGenerated = TimeGenerated\r\n)\r\non $left.NetworkIP == $right.{IP_Logs_Field:value}\r\n| summarize Correlation_Matches=count() by bin(IP_TimeGenerated, 1d)\r\n| render barchart", + "size": 0, + "title": "Detected IPs Per Day", + "noDataMessage": "No detected IPs", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 1" + } + ] + }, + "name": "group - 11" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "\n### Guide: Detected IPs\n\nThe Detected IPs table lists IPs from the correlated logs that have been matched with Recorded Future IP Risk Lists.\n\n**Table Columns**\n\n* **Risk Score:** The Recorded Future Risk Score for the IP (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\n* **IP:** The detected IP.\n* **Detected:** The time when the log was correlated with a Risk List.\n* **Log Created:** The time when the log event itself was created.\n* **Threat Classification:** The type of threat associated with the IP (IOC).", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "text - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Description contains {RF_Risk_list:value}\r\n| where isnotempty(Tags)\r\n| join (\r\n {IP_Logs_Table:value}\r\n | where TimeGenerated {IP_Logs_Time_Range:query}\r\n // renaming time column so it is clear the log this came from\r\n | extend IP_TimeGenerated = TimeGenerated\r\n)\r\non $left.NetworkIP == $right.{IP_Logs_Field:value}\r\n| project [\"Risk Score\"]=ConfidenceScore, IP=NetworkIP, Detected=format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\"Log Created\"]=format_datetime(IP_TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\"Threat Classification\"]=ThreatType\r\n| summarize [\"Log Created\"]=max([\"Log Created\"]) by IP, [\"Risk Score\"], Detected, [\"Threat Classification\"]\r\n| project [\"Risk Score\"], IP, Detected, [\"Log Created\"], [\"Threat Classification\"]\r\n| sort by [\"Risk Score\"] desc", + "size": 0, + "title": "Detected IPs", + "noDataMessage": "No detected IPs", + "exportedParameters": [ + { + "fieldName": "IP", + "parameterName": "MaliciousIPMatch", + "parameterType": 5 + } + ], + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Risk", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": ">=", + "thresholdValue": "90", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "65", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "25", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "blue", + "text": "{0}{1}" + } + ] + } + }, + { + "columnMatch": "AdditionalInformation", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "100%" + } + } + ], + "sortBy": [ + { + "itemKey": "$gen_thresholds_Risk_0", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "$gen_thresholds_Risk_0", + "sortOrder": 2 + } + ] + }, + "customWidth": "70", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Description contains {RF_Risk_list:value}\r\n| where isnotempty(Tags)\r\n| join (\r\n {IP_Logs_Table:value}\r\n | where TimeGenerated {IP_Logs_Time_Range:query}\r\n // renaming time column so it is clear the log this came from\r\n | extend IP_TimeGenerated = TimeGenerated\r\n)\r\non $left.NetworkIP == $right.{IP_Logs_Field:value}\r\n| project Risk=ConfidenceScore, NetworkIP, ThreatType, Tags\r\n| extend Evidence=parse_json(Tags)[0]\r\n| mv-expand Evidence = parse_json(tostring(Evidence))\r\n| extend Rule=Evidence['Rule']\r\n| summarize count() by tostring(Rule)\r\n| sort by count_ desc", + "size": 0, + "title": "Top Triggered Risk Rules", + "noDataMessage": "No triggered Risk Rules", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "orange" + } + } + ] + } + }, + "customWidth": "30", + "name": "query - 2" + }, + { + "type": 1, + "content": { + "json": "### Detected IPs: Evidence Details\n\nTo view evidence details, click a row (IP) in the Detected IPs table." + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\n| where Description contains {RF_Risk_list:value}\n| where NetworkIP == \"{MaliciousIPMatch}\"\n| where isnotempty(Tags)\n//| where ExpirationDateTime > now()\n| extend Evidence=parse_json(Tags)[0]\n| take 1\n| mv-expand Evidence = parse_json(tostring(Evidence))\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\n| sort by toint(Criticality) desc", + "size": 1, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Evidence_String", + "formatter": 0, + "formatOptions": { + "customColumnWidthSetting": "100%" + } + } + ] + } + }, + "conditionalVisibility": { + "parameterName": "MaliciousIPMatch", + "comparison": "isNotEqualTo" + }, + "name": "query - 5" + }, + { + "type": 1, + "content": { + "json": "\n### Source data from {IP_Logs_Table:value}\nTo view source data of correlated IP, click a row (IP) in the Detected IPs table." + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{IP_Logs_Table:value}\n| where TimeGenerated {IP_Logs_Time_Range:query}\n| where {IP_Logs_Field:value} == \"{MaliciousIPMatch}\"\n", + "size": 1, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "MaliciousIPMatch", + "comparison": "isNotEqualTo" + }, + "name": "query - 9" + } + ] + }, + "name": "group - 11" + } + ], + "styleSettings": { + "paddingStyle": "wide" + }, + "fromTemplateId": "sentinel-RecordedFutureIPCorrelationWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/Recorded Future/Workbooks/RecordedFuturePlaybookAlertOverview.json b/Solutions/Recorded Future/Workbooks/RecordedFuturePlaybookAlertOverview.json new file mode 100644 index 00000000000..143c8adbb33 --- /dev/null +++ b/Solutions/Recorded Future/Workbooks/RecordedFuturePlaybookAlertOverview.json @@ -0,0 +1,263 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 1, + "content": { + "json": "## Recorded Future Playbook Alerts\n---\n\nWorkbook to display and analyze Recorded Future Playbook Alerts. This workbook visualize data that is retrived by the ```Recorded Future Playbook Alerts Importer``` Logic app. First run the Logic app once and then select the RecordedFuturePlaybookAlerts_CL table.", + "style": "info" + }, + "name": "text - 2" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "8e8c2f1a-d25d-49d1-a217-9831dbc4f919", + "version": "KqlParameterItem/1.0", + "name": "time_picker", + "label": "Time Picker", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 259200000 + } + }, + { + "id": "f8d34a51-ba10-4241-abff-cb6c14b50a55", + "version": "KqlParameterItem/1.0", + "name": "log_table", + "label": "Playbook Alerts Log Table", + "type": 2, + "description": "Run the Recorded Future Playbook Alert Importer Playbook first.", + "isRequired": true, + "query": "search *\n| where $table endswith \"_CL\" \n| distinct $table\n", + "timeContext": { + "durationMs": 604800000 + }, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "RecordedFuturePlaybookAlerts_CL" + }, + { + "id": "89279a9c-af9e-4734-8a98-21aa1f2fa545", + "version": "KqlParameterItem/1.0", + "name": "categories", + "label": "Category", + "type": 2, + "description": "Filter categories you're looking at", + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "{log_table}\n| distinct rule_label_s", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "timeContext": { + "durationMs": 0 + }, + "timeContextFromParameter": "time_picker", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "a0947450-1ebd-4dea-94d7-41a751c79237", + "version": "KqlParameterItem/1.0", + "name": "status", + "label": "Alert Status", + "type": 2, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "{log_table}\n| distinct status_s", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + { + "id": "25a82661-1700-43a6-ba7a-b3ae5d8fe7b9", + "version": "KqlParameterItem/1.0", + "name": "priority", + "label": "Alert Priority", + "type": 2, + "multiSelect": true, + "quote": "'", + "delimiter": ",", + "query": "{log_table}\n| distinct priority_s", + "typeSettings": { + "additionalResourceOptions": [ + "value::all" + ], + "showDefault": false + }, + "timeContext": { + "durationMs": 172800000 + }, + "timeContextFromParameter": "time_picker", + "defaultValue": "value::all", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{log_table:value}\n| where rule_label_s in ({categories:value})\n| where status_s in ({status:value}) \n| where priority_s in ({priority:value})\n| distinct id_s, rule_label_s, updated_date_t\n| summarize alert_count = count() by rule_label_s\n| project alert_count, Alert = rule_label_s", + "size": 0, + "title": "Top Categories Triggered", + "timeContextFromParameter": "time_picker", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "piechart" + }, + "customWidth": "50", + "name": "query - 2", + "styleSettings": { + "maxWidth": "30" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{log_table:value}\n| where rule_label_s in ({categories:value})\n| where status_s in ({status:value}) \n| where priority_s in ({priority:value})\n| distinct id_s, rule_label_s, updated_date_t\n| summarize Alert=count() by bin(updated_date_t, 1h)\n", + "size": 0, + "title": "Playbook Alerts triggered over time", + "timeContextFromParameter": "time_picker", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "categoricalbar" + }, + "customWidth": "50", + "name": "query - 2 - Copy", + "styleSettings": { + "maxWidth": "70" + } + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{log_table:value}\n| where rule_label_s in ({categories:value})\n| where status_s in ({status:value}) \n| where priority_s in ({priority:value})\n| distinct updated_date_t, title_s, rule_label_s, status_s, priority_s, link_s, evidence_summary_s, targets_s, created_date_t, id_s\n| project-rename Updated=updated_date_t, Title=title_s, Category=rule_label_s, Status=status_s, Priority=priority_s, Created=created_date_t, Targets=targets_s, [\"Evidence\"]=evidence_summary_s, [\"External Link\"]=link_s, ID=id_s\n\n", + "size": 0, + "title": "Triggered Playbook Alerts", + "noDataMessage": "No data in Playbook Alert custom log. Check that playbook/logic apps is running without errors and rules for playbook alerts is setup in Recorded Future Portal.", + "timeContextFromParameter": "time_picker", + "exportFieldName": "id_s", + "exportParameterName": "exported_alert_id", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Title", + "formatter": 7, + "formatOptions": { + "linkTarget": "GenericDetails", + "linkIsContextBlade": true + } + }, + { + "columnMatch": "Link", + "formatter": 7, + "formatOptions": { + "linkTarget": "Url", + "linkLabel": "Recorded Future" + } + }, + { + "columnMatch": "ID", + "formatter": 5 + } + ], + "sortBy": [ + { + "itemKey": "Updated", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "Updated", + "sortOrder": 2 + } + ] + }, + "name": "query - 8" + } + ], + "fromTemplateId": "sentinel-RecordedFuturePlaybookAlertOverview", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/Recorded Future/Workbooks/RecordedFutureURLCorrelation.json b/Solutions/Recorded Future/Workbooks/RecordedFutureURLCorrelation.json new file mode 100644 index 00000000000..bc64db21dd0 --- /dev/null +++ b/Solutions/Recorded Future/Workbooks/RecordedFutureURLCorrelation.json @@ -0,0 +1,444 @@ +{ + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "d7ccc5ca-c8ec-458f-ab0d-564a7ef1d217", + "version": "KqlParameterItem/1.0", + "name": "Help", + "label": "Show Guide", + "type": 10, + "isRequired": true, + "jsonData": "[\n {\"value\": \"Yes\", \"label\": \"Yes\", \"selected\":true},\n {\"value\": \"No\", \"label\": \"No\"}\n]", + "timeContext": { + "durationMs": 86400000 + }, + "value": "No" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 7" + }, + { + "type": 1, + "content": { + "json": "### Guide: URL Correlation \n\nRecorded Future’s URL Correlation Workbook helps you detect malicious URLs within your environment by correlating your logs with Recorded Future URL Risk Lists.\n\n### How to Correlate URLs\n\nTo correlate URLs, follow the steps below:\n\n1. In the **URL Logs Table** dropdown, select a log table that contains URL logs.\n\t* If a particular log table is not listed in the dropdown, ensure it is enabled in your environment.\n2. In the **Log field with URLs** dropdown, select the log field that holds the URLs to be correlated.\n\t* The workbook can correlate URLs in the format: `https://testurl.here.net`.\n3. Select a Recorded Future URL Risk List for correlation.\n4. If necessary, adjust the values in the **Logs from** and **Data from** dropdowns to match your requirements.\n5. Done\n\n---\n\n#### Log table with examples of correlatable log fields\n\n| Table | Field |\n|-------------------|------------|\n| CommonSecurityLog | RequestURL |", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "text - 11" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "### URL (from logs)" + }, + "customWidth": "50", + "name": "text - 2" + }, + { + "type": 1, + "content": { + "json": "### Recorded Future Risk List" + }, + "customWidth": "50", + "name": "text - 3" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "b91b8b5b-10cf-4106-99e2-793eb0d72dce", + "version": "KqlParameterItem/1.0", + "name": "URL_Logs_Time_Range", + "label": "Logs from", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 7776000000 + } + }, + { + "id": "3300ad41-acbc-4ebd-900a-c6ab250b7c73", + "version": "KqlParameterItem/1.0", + "name": "URL_Logs_Table", + "label": "URL Logs Table", + "type": 2, + "description": "Log Table to correlate URLs Against", + "isRequired": true, + "query": "search \"*\" \n| where TimeGenerated {URL_Logs_Time_Range:query}\n| summarize count() by $table | sort by count_ desc | where $table != \"ThreatIntelligenceIndicator\" | project $table\n", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "Squid_Proxy_URL_CL" + }, + { + "id": "f4f77ada-b97c-4a82-9421-20a58fb7ce26", + "version": "KqlParameterItem/1.0", + "name": "URL_Logs_Field", + "label": "Log Field with URLs", + "type": 2, + "description": "Select the field containing the URL that you want to correlate against", + "isRequired": true, + "query": "{URL_Logs_Table:value}\n| getschema\n| where DataType == \"System.String\"\n| project ColumnName", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "URL_s" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "parameters - 0" + }, + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "95e78560-1e69-437c-8226-7b0f8c4dc199", + "version": "KqlParameterItem/1.0", + "name": "Threat_Intelligence_Time_Range", + "label": "Data from", + "type": 4, + "isRequired": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 900000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 14400000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 259200000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 1209600000 + }, + { + "durationMs": 2419200000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 5184000000 + }, + { + "durationMs": 7776000000 + } + ] + }, + "value": { + "durationMs": 7776000000 + } + }, + { + "id": "e7c7e2ea-f5b3-4505-b64c-b18ca8561168", + "version": "KqlParameterItem/1.0", + "name": "RF_Risk_list", + "label": "Risk List", + "type": 2, + "description": "Which Domain Risk List do you want to correlate against", + "isRequired": true, + "query": "ThreatIntelligenceIndicator\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\n| where isnotempty(Url)\n| where Description contains \"Recorded Future\"\n| summarize count() by Description\n| project output = strcat('\"', Description, '\"')\n", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "value": "\"Recorded Future - URL - Recently Reported by Insikt Group\"" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "parameters - 1" + } + ], + "exportParameters": true + }, + "name": "group - 10" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "\n### Guide: Detected URLs Per Day\n\nThe chart displays the number of correlation detections per day between URL logs and Recorded Future's URL Risk lists.", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "text - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Description contains {RF_Risk_list:value}\r\n| where isnotempty(Tags)\r\n| join (\r\n {URL_Logs_Table:value}\r\n | where TimeGenerated {URL_Logs_Time_Range:query}\r\n // renaming time column so it is clear the log this came from\r\n | extend URL_TimeGenerated = TimeGenerated\r\n)\r\non $left.Url == $right.{URL_Logs_Field:value}\r\n| summarize Correlation_Matches=count() by bin(URL_TimeGenerated, 1d)\r\n| render barchart", + "size": 0, + "title": "Detected URLs Per Day", + "noDataMessage": "No detected URLs", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 1" + } + ] + }, + "name": "group - 11" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "items": [ + { + "type": 1, + "content": { + "json": "\n### Guide: Detected URLs\n\nThe Detected URLs table lists URLs from the correlated logs that have been matched with Recorded Future URL Risk Lists.\n\n**Table Columns**\n\n* **Risk Score:** The Recorded Future Risk Score for the URL (IOC), ranging from 1 to 99, with 99 being the highest level of severity.\n* **URL:** The detected URL.\n* **Detected:** The time when the log was correlated with a Risk List.\n* **Log Created:** The time when the log event itself was created.\n* **Threat Classification:** The type of threat associated with the URL (IOC).", + "style": "info" + }, + "conditionalVisibility": { + "parameterName": "Help", + "comparison": "isEqualTo", + "value": "Yes" + }, + "name": "text - 0" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Description contains {RF_Risk_list:value}\r\n| where isnotempty(Tags)\r\n| join (\r\n {URL_Logs_Table:value}\r\n | where TimeGenerated {URL_Logs_Time_Range:query}\r\n // renaming time column so it is clear the log this came from\r\n | extend IP_TimeGenerated = TimeGenerated\r\n)\r\non $left.Url == $right.{URL_Logs_Field:value}\r\n| project [\"Risk Score\"]=ConfidenceScore, URL=Url, Detected = format_datetime(TimeGenerated, 'yyyy-MM-dd HH:mm:ss'), [\"Log Created\"] = IP_TimeGenerated, [\"Threat Classification\"]=ThreatType\r\n| summarize [\"Log Created\"]=max([\"Log Created\"]) by URL, [\"Risk Score\"], Detected, [\"Threat Classification\"]\r\n| project [\"Risk Score\"], URL, Detected, [\"Log Created\"], [\"Threat Classification\"]\r\n| sort by [\"Risk Score\"] desc\r\n", + "size": 0, + "title": "Detected URLs", + "noDataMessage": "No detected URLs", + "exportFieldName": "URL", + "exportParameterName": "MaliciousURLMatch", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "Risk", + "formatter": 18, + "formatOptions": { + "thresholdsOptions": "colors", + "thresholdsGrid": [ + { + "operator": ">=", + "thresholdValue": "90", + "representation": "redBright", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "65", + "representation": "orange", + "text": "{0}{1}" + }, + { + "operator": ">=", + "thresholdValue": "25", + "representation": "yellow", + "text": "{0}{1}" + }, + { + "operator": "Default", + "representation": "blue", + "text": "{0}{1}" + } + ] + } + } + ] + } + }, + "customWidth": "70", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\r\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\r\n| where Description contains {RF_Risk_list:value}\r\n| where isnotempty(Tags)\r\n| join (\r\n {URL_Logs_Table:value}\r\n | where TimeGenerated {URL_Logs_Time_Range:query}\r\n // renaming time column so it is clear the log this came from\r\n | extend URL_TimeGenerated = TimeGenerated\r\n)\r\non $left.Url == $right.{URL_Logs_Field:value}\r\n| project Risk=ConfidenceScore, Url, ThreatType, Tags\r\n| extend Evidence=parse_json(Tags)[0]\r\n| mv-expand Evidence = parse_json(tostring(Evidence))\r\n| extend Rule=Evidence['Rule']\r\n| summarize count() by tostring(Rule)\r\n| sort by count_ desc\r\n\r\n", + "size": 0, + "title": "Top Triggered Risk Rules", + "noDataMessage": "No triggered Risk Rules", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "formatters": [ + { + "columnMatch": "count_", + "formatter": 8, + "formatOptions": { + "palette": "orange" + } + } + ] + } + }, + "customWidth": "30", + "name": "query - 2" + }, + { + "type": 1, + "content": { + "json": "### Detected URLs: Evidence Details\n\nTo view evidence details, click a row (URL) in the Detected URLs table." + }, + "name": "text - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "ThreatIntelligenceIndicator\n| where TimeGenerated {Threat_Intelligence_Time_Range:query}\n| where Description contains {RF_Risk_list}\n| where Url == \"{MaliciousURLMatch}\"\n| where isnotempty(Tags)\n//| where ExpirationDateTime > now()\n| extend Evidence=parse_json(Tags)[0]\n| take 1\n| mv-expand Evidence = parse_json(tostring(Evidence))\n| project Rules = Evidence['Rule'], Criticality = Evidence['Criticality'], Evidence_String = Evidence['EvidenceString']\n| sort by toint(Criticality) desc", + "size": 1, + "noDataMessage": "ExpirationDateTime", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "MaliciousURLMatch", + "comparison": "isNotEqualTo" + }, + "name": "query - 5" + }, + { + "type": 1, + "content": { + "json": "\n### Source data from {URL_Logs_Table:value}\nTo view source data of correlated URL, click a row (URL) in the Detected URLs table." + }, + "name": "text - 5" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "{URL_Logs_Table:value}\n| where TimeGenerated {URL_Logs_Time_Range:query}\n| where {URL_Logs_Field:value} == \"{MaliciousURLMatch}\"\n", + "size": 1, + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "conditionalVisibility": { + "parameterName": "MaliciousURLMatch", + "comparison": "isNotEqualTo" + }, + "name": "query - 6" + } + ] + }, + "name": "group - 10" + } + ], + "styleSettings": { + "paddingStyle": "wide" + }, + "fromTemplateId": "sentinel-RecordedFutureURLCorrelationWorkbook", + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json" +} \ No newline at end of file diff --git a/Solutions/Recorded Future/readme.md b/Solutions/Recorded Future/readme.md new file mode 100644 index 00000000000..ea95d7b645d --- /dev/null +++ b/Solutions/Recorded Future/readme.md @@ -0,0 +1,17 @@ +[
](https://www.recordedfuture.com/)
+# Recorded Future Intelligence for Microsoft Sentinel
+
+Instructions how to install and use Recorded Future Solution for Microsoft Sentinel or how to install individual playbooks kan be found in the [ main readme.md](playbooks/readme.md) in the Playbook subdirectory in this repository.
+
+Recorded Future also provide standalone Playbooks in this repository for EntraID (identity) and Defender for endpoints:
+
+**Recorded Future Sentinel Solution**
+- [Installation guide](playbooks/readme.md)
+
+**Recorded Future Defender Integrations**
+- [Recorded Future Defender playbooks](../../Playbooks/RecordedFuture-Block-IPs-and-Domains-on-Microsoft-Defender-for-Endpoint/)
+- [Recorded Future Defender SCF playbooks](../../Playbooks/RecordedFuture_IP_SCF/)
+
+**Recorded Future for Identity**
+- [Recorded Future Identity](../Recorded%20Future%20Identity/Playbooks/readme.md)
+
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index ce139b613b6..3e3513c1fb7 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -5533,4 +5533,4 @@
"templateRelativePath": "DataminrPulseAlerts.json",
"provider": "Dataminr"
}
-]
+]
\ No newline at end of file
diff --git a/Workbooks/Images/Logos/greynoise_logomark_black.svg b/Workbooks/Images/Logos/greynoise_logomark_black.svg
new file mode 100644
index 00000000000..12c2e131372
--- /dev/null
+++ b/Workbooks/Images/Logos/greynoise_logomark_black.svg
@@ -0,0 +1,42 @@
+
+
+
diff --git a/Workbooks/Images/Preview/GreyNoiseOverviewBlack.png b/Workbooks/Images/Preview/GreyNoiseOverviewBlack.png
new file mode 100644
index 00000000000..79d9cb60c45
Binary files /dev/null and b/Workbooks/Images/Preview/GreyNoiseOverviewBlack.png differ
diff --git a/Workbooks/Images/Preview/GreyNoiseOverviewWhite.png b/Workbooks/Images/Preview/GreyNoiseOverviewWhite.png
new file mode 100644
index 00000000000..14c534e9a70
Binary files /dev/null and b/Workbooks/Images/Preview/GreyNoiseOverviewWhite.png differ
diff --git a/Workbooks/Images/Preview/RecordedFutureAlertOverviewBlack.png b/Workbooks/Images/Preview/RecordedFutureAlertOverviewBlack.png
new file mode 100644
index 00000000000..575a9e1a0bd
Binary files /dev/null and b/Workbooks/Images/Preview/RecordedFutureAlertOverviewBlack.png differ
diff --git a/Workbooks/Images/Preview/RecordedFutureAlertOverviewWhite.png b/Workbooks/Images/Preview/RecordedFutureAlertOverviewWhite.png
new file mode 100644
index 00000000000..776e7ba6d2a
Binary files /dev/null and b/Workbooks/Images/Preview/RecordedFutureAlertOverviewWhite.png differ
diff --git a/Workbooks/Images/Preview/RecordedFutureDomainCorrelationBlack.png b/Workbooks/Images/Preview/RecordedFutureDomainCorrelationBlack.png
new file mode 100644
index 00000000000..84056416677
Binary files /dev/null and b/Workbooks/Images/Preview/RecordedFutureDomainCorrelationBlack.png differ
diff --git a/Workbooks/Images/Preview/RecordedFutureDomainCorrelationWhite.png b/Workbooks/Images/Preview/RecordedFutureDomainCorrelationWhite.png
new file mode 100644
index 00000000000..0867027c94c
Binary files /dev/null and b/Workbooks/Images/Preview/RecordedFutureDomainCorrelationWhite.png differ
diff --git a/Workbooks/Images/Preview/RecordedFutureHashCorrelationBlack.png b/Workbooks/Images/Preview/RecordedFutureHashCorrelationBlack.png
new file mode 100644
index 00000000000..814b1000ccd
Binary files /dev/null and b/Workbooks/Images/Preview/RecordedFutureHashCorrelationBlack.png differ
diff --git a/Workbooks/Images/Preview/RecordedFutureHashCorrelationWhite.png b/Workbooks/Images/Preview/RecordedFutureHashCorrelationWhite.png
new file mode 100644
index 00000000000..68896a81627
Binary files /dev/null and b/Workbooks/Images/Preview/RecordedFutureHashCorrelationWhite.png differ
diff --git a/Workbooks/Images/Preview/RecordedFutureIPCorrelationBlack.png b/Workbooks/Images/Preview/RecordedFutureIPCorrelationBlack.png
new file mode 100644
index 00000000000..f356f10587f
Binary files /dev/null and b/Workbooks/Images/Preview/RecordedFutureIPCorrelationBlack.png differ
diff --git a/Workbooks/Images/Preview/RecordedFutureIPCorrelationWhite.png b/Workbooks/Images/Preview/RecordedFutureIPCorrelationWhite.png
new file mode 100644
index 00000000000..ff3a4b5266f
Binary files /dev/null and b/Workbooks/Images/Preview/RecordedFutureIPCorrelationWhite.png differ
diff --git a/Workbooks/Images/Preview/RecordedFuturePlaybookAlertOverviewBlack1.png b/Workbooks/Images/Preview/RecordedFuturePlaybookAlertOverviewBlack1.png
new file mode 100644
index 00000000000..6a4d04183bf
Binary files /dev/null and b/Workbooks/Images/Preview/RecordedFuturePlaybookAlertOverviewBlack1.png differ
diff --git a/Workbooks/Images/Preview/RecordedFuturePlaybookAlertOverviewWhite1.png b/Workbooks/Images/Preview/RecordedFuturePlaybookAlertOverviewWhite1.png
new file mode 100644
index 00000000000..55a91554e38
Binary files /dev/null and b/Workbooks/Images/Preview/RecordedFuturePlaybookAlertOverviewWhite1.png differ
diff --git a/Workbooks/Images/Preview/RecordedFutureUrlCorrelationBlack.png b/Workbooks/Images/Preview/RecordedFutureUrlCorrelationBlack.png
new file mode 100644
index 00000000000..e1429a00277
Binary files /dev/null and b/Workbooks/Images/Preview/RecordedFutureUrlCorrelationBlack.png differ
diff --git a/Workbooks/Images/Preview/RecordedFutureUrlCorrelationWhite.png b/Workbooks/Images/Preview/RecordedFutureUrlCorrelationWhite.png
new file mode 100644
index 00000000000..06cea3d4bd7
Binary files /dev/null and b/Workbooks/Images/Preview/RecordedFutureUrlCorrelationWhite.png differ
diff --git a/Workbooks/WorkbooksMetadata.json b/Workbooks/WorkbooksMetadata.json
index dffcfa68a61..a015e8b4fa4 100644
--- a/Workbooks/WorkbooksMetadata.json
+++ b/Workbooks/WorkbooksMetadata.json
@@ -4681,36 +4681,6 @@
"subtitle": "",
"provider": "Darktrace"
},
-{
- "workbookKey": "RecordedFutureDomainC2DNSWorkbook",
- "logoFileName": "RecordedFuture.svg",
- "description": "Sets the time name for DNS Events and Threat Intelligence Time Range",
- "dataTypesDependencies": [
- "ThreatIntelligenceIndicator"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [""],
- "version": "1.0.0",
- "title": "Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting",
- "templateRelativePath": "Recorded Future - C&C DNS Name to DNS Events - Correlation&Threat Hunting.json",
- "subtitle": "",
- "provider": "Recorded Future"
-},
-{
- "workbookKey": "RecordedFutureIPActiveC2Workbook",
- "logoFileName": "RecordedFuture.svg",
- "description": "Sets the time name for DNS Events and Threat Intelligence Time Range",
- "dataTypesDependencies": [
- "ThreatIntelligenceIndicator"
- ],
- "dataConnectorsDependencies": [],
- "previewImagesFileNames": [""],
- "version": "1.0.0",
- "title": "Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting",
- "templateRelativePath": "Recorded Future - Actively Communicating C&C IPs to DNS Events - Correlation&Threat Hunting.json",
- "subtitle": "",
- "provider": "Recorded Future"
-},
{
"workbookKey": "MaturityModelForEventLogManagement_M2131",
"logoFileName": "contrastsecurity_logo.svg",
@@ -6647,7 +6617,27 @@
"domains": [
"IT Operations"
]
-}
+ }
+},
+{
+ "workbookKey": "GreyNoiseIntellegenceOverviewWorkbook",
+ "logoFileName": "greynoise_logomark_black.svg",
+ "description": "This workbook provides visualization of GreyNoise Intelligence threat indicators which are ingested in the Microsoft Sentinel Threat intelligence.",
+ "dataTypesDependencies": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "dataConnectorsDependencies": [
+ "GreyNoise2SentinelAPI"
+ ],
+ "previewImagesFileNames": [
+ "GreyNoiseOverviewWhite.png",
+ "GreyNoiseOverviewBlack.png"
+ ],
+ "version": "1.0",
+ "title": "GreyNoise Intelligence Threat Indicators",
+ "templateRelativePath": "GreyNoiseOverview.json",
+ "subtitle": "",
+ "provider": "GreyNoise Intelligence, Inc."
},
{
"workbookKey": "WizFindingsWorkbook",
@@ -6674,5 +6664,113 @@
"templateRelativePath": "WizFindings.json",
"subtitle": "",
"provider": "Wiz"
+},
+{
+ "workbookKey": "RecordedFutureAlertOverviewWorkbook",
+ "logoFileName": "RecordedFuture.svg",
+ "description": "Recorded Future Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Alert-Importer.",
+ "dataTypesDependencies": [
+ "RecordedFuturePortalAlerts_CL"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "RecordedFutureAlertOverviewWhite.png",
+ "RecordedFutureAlertOverviewBlack.png"
+ ],
+ "version": "1.0.0",
+ "title": "Recorded Future - Alerts Overview",
+ "templateRelativePath": "RecordedFutureAlertOverview.json",
+ "subtitle": "",
+ "provider": "Recorded Future"
+},
+{
+ "workbookKey": "RecordedFuturePlaybookAlertOverviewWorkbook",
+ "logoFileName": "RecordedFuture.svg",
+ "description": "Recorded Future Playbook Alerts Overview Workbook. This workbook will visualize playbook alerts imported via the RecordedFuture-Playbook-Alert-Importer.",
+ "dataTypesDependencies": [
+ "RecordedFuturePlaybookAlerts_CL"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "RecordedFuturePlaybookAlertOverviewWhite1.png",
+ "RecordedFuturePlaybookAlertOverviewBlack1.png"
+ ],
+ "version": "1.0.0",
+ "title": "Recorded Future - Playbook Alerts Overview",
+ "templateRelativePath": "RecordedFuturePlaybookAlertOverview.json",
+ "subtitle": "",
+ "provider": "Recorded Future"
+},
+{
+ "workbookKey": "RecordedFutureDomainCorrelationWorkbook",
+ "logoFileName": "RecordedFuture.svg",
+ "description": "Recorded Future Domain Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.",
+ "dataTypesDependencies": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "RecordedFutureDomainCorrelationWhite.png",
+ "RecordedFutureDomainCorrelationBlack.png"
+ ],
+ "version": "1.0.1",
+ "title": "Recorded Future - Domain Correlation",
+ "templateRelativePath": "RecordedFutureDomainCorrelation.json",
+ "subtitle": "",
+ "provider": "Recorded Future"
+},
+{
+ "workbookKey": "RecordedFutureHashCorrelationWorkbook",
+ "logoFileName": "RecordedFuture.svg",
+ "description": "Recorded Future Hash Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.",
+ "dataTypesDependencies": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "RecordedFutureHashCorrelationWhite.png",
+ "RecordedFutureHashCorrelationBlack.png"
+ ],
+ "version": "1.0.1",
+ "title": "Recorded Future - Hash Correlation",
+ "templateRelativePath": "RecordedFutureHashCorrelation.json",
+ "subtitle": "",
+ "provider": "Recorded Future"
+},
+{
+ "workbookKey": "RecordedFutureIPCorrelationWorkbook",
+ "logoFileName": "RecordedFuture.svg",
+ "description": "Recorded Future IP Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.",
+ "dataTypesDependencies": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "RecordedFutureIPCorrelationWhite.png",
+ "RecordedFutureIPCorrelationBlack.png"
+ ],
+ "version": "1.0.1",
+ "title": "Recorded Future - IP Correlation",
+ "templateRelativePath": "RecordedFutureIPCorrelation.json",
+ "subtitle": "",
+ "provider": "Recorded Future"
+},
+{
+ "workbookKey": "RecordedFutureURLCorrelationWorkbook",
+ "logoFileName": "RecordedFuture.svg",
+ "description": "Recorded Future URL Correlation Workbook. This workbook will visualize Recorded Future threat intelligence data together with infrastructure logs ingested in to Sentinel.",
+ "dataTypesDependencies": [
+ "ThreatIntelligenceIndicator"
+ ],
+ "dataConnectorsDependencies": [],
+ "previewImagesFileNames": [
+ "RecordedFutureUrlCorrelationWhite.png",
+ "RecordedFutureUrlCorrelationBlack.png"
+ ],
+ "version": "1.0.1",
+ "title": "Recorded Future - URL Correlation",
+ "templateRelativePath": "RecordedFutureURLCorrelation.json",
+ "subtitle": "",
+ "provider": "Recorded Future"
}
-]
+]
\ No newline at end of file