[a-zA-Z0-9-_:/@.#{}'' ]+)\", dynamic([\"key\",\"value\"]), tostring(AdditionalExtensions))\r\n| mv-apply AdditionalFields on (\r\n summarize AdditionalFields = make_list(pack(tostring(AdditionalFields[0]), AdditionalFields[1]))\r\n )\r\n| project-rename EventVendor = DeviceVendor\r\n , EventProduct = DeviceProduct\r\n , EventId = DeviceEventClassID\r\n , EventSeverity = LogSeverity\r\n , DvcAction = DeviceAction\r\n , DvcIpAddr = DeviceAddress\r\n , EventMessage = Message\r\n , EventProductVersion = DeviceVersion\r\n , SerialNumber = DeviceExternalID\r\n , DvcInboundInterface = DeviceInboundInterface\r\n , DvcOutboundInterface = DeviceOutboundInterface\r\n , DstUserName = DestinationUserName\r\n , SrcUserName = SourceUserName\r\n , MailPolicy = DeviceCustomString1\r\n , SrcGeoCountry = DeviceCustomString2\r\n , ThreatCategory = DeviceCustomString3\r\n , EventOriginalUid = DeviceCustomString4\r\n , MailLanguage = DeviceCustomString5\r\n , SdrRepScore = DeviceCustomString6\r\n , SbrsScore = DeviceCustomFloatingPoint1\r\n| project-away Activity\r\n , DeviceCustomString1Label\r\n , DeviceCustomString2Label\r\n , DeviceCustomString3Label\r\n , DeviceCustomString4Label\r\n , DeviceCustomString5Label\r\n , DeviceCustomString6Label\r\n , DeviceCustomFloatingPoint1Label\r\n , AdditionalExtensions\r\n",
- "version": 1
- }
- },
- {
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "location": "[parameters('workspace-location')]",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId1'),'/'))))]",
- "dependsOn": [
- "[variables('_parserId1')]"
- ],
- "properties": {
- "parentId": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]",
- "contentId": "[variables('_parserContentId1')]",
- "kind": "Parser",
- "version": "[variables('parserVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "CiscoSEG",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
},
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
- }
- },
- {
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('dataConnectorTemplateSpecName1')]",
- "location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
- "properties": {
- "description": "CiscoSEG data connector with template",
- "displayName": "CiscoSEG template"
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId4')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Cisco SEG - DMARK failures",
+ "contentProductId": "[variables('_huntingQuerycontentProductId4')]",
+ "id": "[variables('_huntingQuerycontentProductId4')]",
+ "version": "[variables('huntingQueryVersion4')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName5')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "DataConnector"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEG data connector with template version 2.0.1",
+ "description": "CiscoSEGFailedSPFFailure_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('dataConnectorVersion1')]",
+ "contentVersion": "[variables('huntingQueryVersion5')]",
"parameters": {},
"variables": {},
"resources": [
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "CiscoSEG_Hunting_Query_5",
"location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
"properties": {
- "connectorUiConfig": {
- "id": "[variables('_uiConfigId1')]",
- "title": "Cisco Secure Email Gateway",
- "publisher": "Cisco",
- "descriptionMarkdown": "The [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) data connector provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "CiscoSEG",
- "baseQuery": "CiscoSEGEvent"
- }
- ],
- "sampleQueries": [
- {
- "description": "Top 10 Senders",
- "query": "CiscoSEGEvent\n | where isnotempty(SrcUserName)\n | summarize count() by SrcUserName\n | top 10 by count_"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (CiscoSEG)",
- "lastDataReceivedQuery": "CiscoSEGEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CiscoSEGEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
- }
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using AsyncOS 14.0 for Cisco Secure Email Gateway"
- },
- {
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
- },
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
- }
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Follow these steps to configure Cisco Secure Email Gateway to forward logs via syslog:\n\n2.1. Configure [Log Subscription](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718)\n\n>**NOTE:** Select **Consolidated Event Logs** in Log Type field.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
- {
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
- },
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
- },
- {
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
- }
- ]
- }
+ "eTag": "*",
+ "displayName": "Cisco SEG - SPF failures",
+ "category": "Hunting Queries",
+ "query": "CiscoSEGEvent\n| where TimeGenerated > ago(24h)\n| where tostring(AdditionalFields) has 'ESASPFVerdict'\n| extend spf_status = extract(@'ESASPFVerdict\":\"(Pass|Neutral|SoftFail|Fail|TempError|PermError)\"', 1, tostring(AdditionalFields))\n| where spf_status in~ ('Fail', 'TempError', 'PermError')\n| extend AccountCustomEntity = SrcUserName\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches for mails with SPF failure status."
+ },
+ {
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1566"
+ }
+ ]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId5'),'/'))))]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
+ "description": "CiscoSEG Hunting Query 5",
+ "parentId": "[variables('huntingQueryId5')]",
+ "contentId": "[variables('_huntingQuerycontentId5')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion5')]",
"source": {
"kind": "Solution",
"name": "CiscoSEG",
@@ -2601,230 +2724,413 @@
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId5')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Cisco SEG - SPF failures",
+ "contentProductId": "[variables('_huntingQuerycontentProductId5')]",
+ "id": "[variables('_huntingQuerycontentProductId5')]",
+ "version": "[variables('huntingQueryVersion5')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName6')]",
+ "location": "[parameters('workspace-location')]",
"dependsOn": [
- "[variables('_dataConnectorId1')]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
- "location": "[parameters('workspace-location')]",
"properties": {
- "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "kind": "DataConnector",
- "version": "[variables('dataConnectorVersion1')]",
- "source": {
- "kind": "Solution",
- "name": "CiscoSEG",
- "sourceId": "[variables('_solutionId')]"
- },
- "author": {
- "name": "Microsoft",
- "email": "[variables('_email')]"
+ "description": "CiscoSEGFailedTLSIn_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion6')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "CiscoSEG_Hunting_Query_6",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Cisco SEG - Failed incoming TLS connections",
+ "category": "Hunting Queries",
+ "query": "CiscoSEGEvent\n| where TimeGenerated > ago(24h)\n| where tostring(AdditionalFields) has 'ESATLSInConnStatus'\n| extend tls_status = extract(@'ESATLSInConnStatus\":\"(Success|Failure)\"', 1, tostring(AdditionalFields))\n| where tls_status =~ 'Failure'\n| extend AccountCustomEntity = DstUserName\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches failed TLS incoming connections."
+ },
+ {
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1566"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId6'),'/'))))]",
+ "properties": {
+ "description": "CiscoSEG Hunting Query 6",
+ "parentId": "[variables('huntingQueryId6')]",
+ "contentId": "[variables('_huntingQuerycontentId6')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion6')]",
+ "source": {
+ "kind": "Solution",
+ "name": "CiscoSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ]
},
- "support": {
- "name": "Microsoft Corporation",
- "email": "support@microsoft.com",
- "tier": "Microsoft",
- "link": "https://support.microsoft.com"
- }
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId6')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Cisco SEG - Failed incoming TLS connections",
+ "contentProductId": "[variables('_huntingQuerycontentProductId6')]",
+ "id": "[variables('_huntingQuerycontentProductId6')]",
+ "version": "[variables('huntingQueryVersion6')]"
}
},
{
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId1'))]",
- "apiVersion": "2021-03-01-preview",
- "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName7')]",
"location": "[parameters('workspace-location')]",
- "kind": "GenericUI",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
"properties": {
- "connectorUiConfig": {
- "title": "Cisco Secure Email Gateway",
- "publisher": "Cisco",
- "descriptionMarkdown": "The [Cisco Secure Email Gateway (SEG)](https://www.cisco.com/c/en/us/products/security/email-security/index.html) data connector provides the capability to ingest [Cisco SEG Consolidated Event Logs](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1061902) into Microsoft Sentinel.",
- "graphQueries": [
- {
- "metricName": "Total data received",
- "legend": "CiscoSEG",
- "baseQuery": "CiscoSEGEvent"
- }
- ],
- "dataTypes": [
- {
- "name": "CommonSecurityLog (CiscoSEG)",
- "lastDataReceivedQuery": "CiscoSEGEvent\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
- }
- ],
- "connectivityCriterias": [
- {
- "type": "IsConnectedQuery",
- "value": [
- "CiscoSEGEvent\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
- ]
- }
- ],
- "sampleQueries": [
+ "description": "CiscoSEGFailedTLSOut_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion7')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
{
- "description": "Top 10 Senders",
- "query": "CiscoSEGEvent\n | where isnotempty(SrcUserName)\n | summarize count() by SrcUserName\n | top 10 by count_"
- }
- ],
- "availability": {
- "status": 1,
- "isPreview": false
- },
- "permissions": {
- "resourceProvider": [
- {
- "provider": "Microsoft.OperationalInsights/workspaces",
- "permissionsDisplayText": "read and write permissions are required.",
- "providerDisplayName": "Workspace",
- "scope": "Workspace",
- "requiredPermissions": {
- "write": true,
- "read": true,
- "delete": true
- }
- },
- {
- "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
- "permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
- "providerDisplayName": "Keys",
- "scope": "Workspace",
- "requiredPermissions": {
- "action": true
- }
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "CiscoSEG_Hunting_Query_7",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Cisco SEG - Failed outgoing TLS connections",
+ "category": "Hunting Queries",
+ "query": "CiscoSEGEvent\n| where TimeGenerated > ago(24h)\n| where tostring(AdditionalFields) has 'ESATLSOutConnStatus'\n| extend tls_status = extract(@'ESATLSOutConnStatus\":\"(Success|Failure)\"', 1, tostring(AdditionalFields))\n| where tls_status =~ 'Failure'\n| extend AccountCustomEntity = SrcUserName\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches failed TLS outgoing connections."
+ },
+ {
+ "name": "tactics",
+ "value": "Impact"
+ },
+ {
+ "name": "techniques",
+ "value": "T1565"
+ }
+ ]
}
- ]
- },
- "instructionSteps": [
- {
- "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution."
- },
- {
- "description": ">**NOTE:** This data connector has been developed using AsyncOS 14.0 for Cisco Secure Email Gateway"
},
{
- "description": "Install and configure the Linux agent to collect your Common Event Format (CEF) Syslog messages and forward them to Microsoft Sentinel.\n\n> Notice that the data from all regions will be stored in the selected workspace",
- "innerSteps": [
- {
- "title": "1.1 Select or create a Linux machine",
- "description": "Select or create a Linux machine that Microsoft Sentinel will use as the proxy between your security solution and Microsoft Sentinel this machine can be on your on-prem environment, Azure or other clouds."
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId7'),'/'))))]",
+ "properties": {
+ "description": "CiscoSEG Hunting Query 7",
+ "parentId": "[variables('huntingQueryId7')]",
+ "contentId": "[variables('_huntingQuerycontentId7')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion7')]",
+ "source": {
+ "kind": "Solution",
+ "name": "CiscoSEG",
+ "sourceId": "[variables('_solutionId')]"
},
- {
- "title": "1.2 Install the CEF collector on the Linux machine",
- "description": "Install the Microsoft Monitoring Agent on your Linux machine and configure the machine to listen on the necessary port and forward messages to your Microsoft Sentinel workspace. The CEF collector collects CEF messages on port 514 TCP.\n\n> 1. Make sure that you have Python on your machine using the following command: python -version.\n\n> 2. You must have elevated permissions (sudo) on your machine.",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId",
- "PrimaryKey"
- ],
- "label": "Run the following command to install and apply the CEF collector:",
- "value": "sudo wget -O cef_installer.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_installer.py&&sudo python cef_installer.py {0} {1}"
- },
- "type": "CopyableLabel"
- }
- ]
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
}
- ],
- "title": "1. Linux Syslog agent configuration"
- },
- {
- "description": "Follow these steps to configure Cisco Secure Email Gateway to forward logs via syslog:\n\n2.1. Configure [Log Subscription](https://www.cisco.com/c/en/us/td/docs/security/esa/esa14-0/user_guide/b_ESA_Admin_Guide_14-0/b_ESA_Admin_Guide_12_1_chapter_0100111.html#con_1134718)\n\n>**NOTE:** Select **Consolidated Event Logs** in Log Type field.",
- "title": "2. Forward Common Event Format (CEF) logs to Syslog agent"
- },
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId7')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Cisco SEG - Failed outgoing TLS connections",
+ "contentProductId": "[variables('_huntingQuerycontentProductId7')]",
+ "id": "[variables('_huntingQuerycontentProductId7')]",
+ "version": "[variables('huntingQueryVersion7')]"
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName8')]",
+ "location": "[parameters('workspace-location')]",
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
+ "properties": {
+ "description": "CiscoSEGInsecureProtocol_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion8')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
{
- "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\n>It may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n> 1. Make sure that you have Python on your machine using the following command: python -version\n\n>2. You must have elevated permissions (sudo) on your machine",
- "instructions": [
- {
- "parameters": {
- "fillWith": [
- "WorkspaceId"
- ],
- "label": "Run the following command to validate your connectivity:",
- "value": "sudo wget -O cef_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/CEF/cef_troubleshoot.py&&sudo python cef_troubleshoot.py {0}"
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "CiscoSEG_Hunting_Query_8",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Cisco SEG - Insecure protocol",
+ "category": "Hunting Queries",
+ "query": "CiscoSEGEvent\n| where TimeGenerated > ago(24h)\n| where tostring(AdditionalFields) has 'ESATLSOutProtocol'\n| extend tls_status = extract(@'ESATLSOutProtocol\":\"(.*?)\"', 1, tostring(AdditionalFields))\n| where tls_status != 'TLSv1.2'\n| extend AccountCustomEntity = SrcUserName\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches for connections with insecure protocol."
},
- "type": "CopyableLabel"
- }
- ],
- "title": "3. Validate connection"
+ {
+ "name": "tactics",
+ "value": "Impact"
+ },
+ {
+ "name": "techniques",
+ "value": "T1565"
+ }
+ ]
+ }
},
{
- "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)",
- "title": "4. Secure your machine "
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId8'),'/'))))]",
+ "properties": {
+ "description": "CiscoSEG Hunting Query 8",
+ "parentId": "[variables('huntingQueryId8')]",
+ "contentId": "[variables('_huntingQuerycontentId8')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion8')]",
+ "source": {
+ "kind": "Solution",
+ "name": "CiscoSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
}
- ],
- "id": "[variables('_uiConfigId1')]",
- "additionalRequirementBanner": "This data connector depends on a parser based on a Kusto Function to work as expected [**CiscoSEGEvent**](https://aka.ms/sentinel-CiscoSEG-parser) which is deployed with the Microsoft Sentinel Solution."
- }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId8')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Cisco SEG - Insecure protocol",
+ "contentProductId": "[variables('_huntingQuerycontentProductId8')]",
+ "id": "[variables('_huntingQuerycontentProductId8')]",
+ "version": "[variables('huntingQueryVersion8')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs",
- "apiVersion": "2021-05-01",
- "name": "[variables('workbookTemplateSpecName1')]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName9')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
+ "dependsOn": [
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
+ ],
"properties": {
- "description": "CiscoSEG Workbook with template",
- "displayName": "CiscoSEG workbook template"
+ "description": "CiscoSEGSpamMails_HuntingQueries Hunting Query with template version 3.0.0",
+ "mainTemplate": {
+ "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+ "contentVersion": "[variables('huntingQueryVersion9')]",
+ "parameters": {},
+ "variables": {},
+ "resources": [
+ {
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "CiscoSEG_Hunting_Query_9",
+ "location": "[parameters('workspace-location')]",
+ "properties": {
+ "eTag": "*",
+ "displayName": "Cisco SEG - Sources of spam mails",
+ "category": "Hunting Queries",
+ "query": "CiscoSEGEvent\n| where TimeGenerated > ago(24h)\n| where NetworkDirection =~ 'Incoming'\n| where SimplifiedDeviceAction =~ 'QUARANTINED'\n| extend act_det = extract(@'ESAFinalActionDetails\":\"(.*?)\"', 1, tostring(AdditionalFields))\n| where act_det has 'To SPAM'\n| summarize count() by SourceIP\n| extend IPCustomEntity = SourceIP\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches for sources of spam mails."
+ },
+ {
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1566"
+ }
+ ]
+ }
+ },
+ {
+ "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
+ "apiVersion": "2022-01-01-preview",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId9'),'/'))))]",
+ "properties": {
+ "description": "CiscoSEG Hunting Query 9",
+ "parentId": "[variables('huntingQueryId9')]",
+ "contentId": "[variables('_huntingQuerycontentId9')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion9')]",
+ "source": {
+ "kind": "Solution",
+ "name": "CiscoSEG",
+ "sourceId": "[variables('_solutionId')]"
+ },
+ "author": {
+ "name": "Microsoft",
+ "email": "[variables('_email')]"
+ },
+ "support": {
+ "name": "Microsoft Corporation",
+ "email": "support@microsoft.com",
+ "tier": "Microsoft",
+ "link": "https://support.microsoft.com"
+ }
+ }
+ }
+ ]
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId9')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Cisco SEG - Sources of spam mails",
+ "contentProductId": "[variables('_huntingQuerycontentProductId9')]",
+ "id": "[variables('_huntingQuerycontentProductId9')]",
+ "version": "[variables('huntingQueryVersion9')]"
}
},
{
- "type": "Microsoft.Resources/templateSpecs/versions",
- "apiVersion": "2021-05-01",
- "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates",
+ "apiVersion": "2023-04-01-preview",
+ "name": "[variables('huntingQueryTemplateSpecName10')]",
"location": "[parameters('workspace-location')]",
- "tags": {
- "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]",
- "hidden-sentinelContentType": "Workbook"
- },
"dependsOn": [
- "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]"
+ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]"
],
"properties": {
- "description": "CiscoSEGWorkbook Workbook with template version 2.0.1",
+ "description": "CiscoSEGUsersReceivedSpam_HuntingQueries Hunting Query with template version 3.0.0",
"mainTemplate": {
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "[variables('workbookVersion1')]",
+ "contentVersion": "[variables('huntingQueryVersion10')]",
"parameters": {},
"variables": {},
"resources": [
{
- "type": "Microsoft.Insights/workbooks",
- "name": "[variables('workbookContentId1')]",
+ "type": "Microsoft.OperationalInsights/savedSearches",
+ "apiVersion": "2022-10-01",
+ "name": "CiscoSEG_Hunting_Query_10",
"location": "[parameters('workspace-location')]",
- "kind": "shared",
- "apiVersion": "2021-08-01",
- "metadata": {
- "description": "Sets the time name for analysis"
- },
"properties": {
- "displayName": "[parameters('workbook1-name')]",
- "serializedData": "{\"version\":\"Notebook/1.0\",\"items\":[{\"type\":1,\"content\":{\"json\":\"**NOTE**: This data connector depends on a parser based on Kusto Function **CiscoSEGEvent** to work as expected. [Follow steps to get this Kusto Function](https://aka.ms/sentinel-ciscoseg-parser)\"},\"name\":\"text - 8\"},{\"type\":9,\"content\":{\"version\":\"KqlParameterItem/1.0\",\"parameters\":[{\"id\":\"cd8447d9-b096-4673-92d8-2a1e8291a125\",\"version\":\"KqlParameterItem/1.0\",\"name\":\"TimeRange\",\"type\":4,\"description\":\"Sets the time name for analysis\",\"value\":{\"durationMs\":7776000000},\"typeSettings\":{\"selectableValues\":[{\"durationMs\":900000},{\"durationMs\":3600000},{\"durationMs\":86400000},{\"durationMs\":604800000},{\"durationMs\":2592000000},{\"durationMs\":7776000000}]},\"timeContext\":{\"durationMs\":86400000}}],\"style\":\"pills\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\"},\"name\":\"parameters - 11\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoSEGEvent\\r\\n| make-series TotalEvents = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain};\",\"size\":0,\"title\":\"Events Over Time\",\"color\":\"orange\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"timechart\",\"graphSettings\":{\"type\":0}},\"customWidth\":\"50\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"55\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"let tot_m = CiscoSEGEvent\\r\\n| summarize e_count=count()\\r\\n| extend Title='Total Mails';\\r\\nlet rec = CiscoSEGEvent\\r\\n| where NetworkDirection =~ 'Incoming'\\r\\n| where SimplifiedDeviceAction =~ 'DELIVERED'\\r\\n| summarize e_count=count()\\r\\n| extend Title='Mails Delivered';\\r\\nlet q_m = CiscoSEGEvent\\r\\n| where NetworkDirection =~ 'Incoming'\\r\\n| where SimplifiedDeviceAction =~ 'QUARANTINED'\\r\\n| summarize e_count=count()\\r\\n| extend Title='Quarantined Mails';\\r\\nlet mal_m = CiscoSEGEvent\\r\\n| where NetworkDirection =~ 'Incoming'\\r\\n| where tostring(AdditionalFields) has 'ESAAMPVerdict'\\r\\n| extend amp_verdict = extract(@'ESAAMPVerdict\\\":\\\"(NOT_EVALUATED|CLEAN|FA_PENDING|UNKNOWN|SKIPPED|UNSCANNABLE|LOW_RISK|MALICIOUS)\\\"', 1, tostring(AdditionalFields))\\r\\n| where amp_verdict =~ 'MALICIOUS'\\r\\n| summarize e_count=count()\\r\\n| extend Title='Malicious Mails';\\r\\nunion isfuzzy=true tot_m, rec, q_m, mal_m\\r\\n| order by e_count\",\"size\":3,\"title\":\"Mail Summary\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"Title\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"e_count\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"style\":\"decimal\",\"maximumFractionDigits\":2,\"maximumSignificantDigits\":3}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":9,\"formatOptions\":{\"palette\":\"purple\"}},\"showBorder\":false}},\"customWidth\":\"20\",\"name\":\"query - 0\",\"styleSettings\":{\"maxWidth\":\"30\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoSEGEvent\\n| where NetworkDirection =~ 'Incoming'\\n| summarize tot_m = count() by DstUserName\\n| join kind = inner (CiscoSEGEvent\\n | make-series Trend = count() default = 0 on TimeGenerated from {TimeRange:start} to {TimeRange:end} step {TimeRange:grain} by DstUserName)\\n on DstUserName\\n| project-away DstUserName1, TimeGenerated\\n| project User = DstUserName, TotalMailsReceived=tot_m, Trend\\n| order by TotalMailsReceived\\n| take 6\",\"size\":0,\"title\":\"Users' mail volume\",\"timeContext\":{\"durationMs\":86400000},\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"tiles\",\"tileSettings\":{\"titleContent\":{\"columnMatch\":\"User\",\"formatter\":1},\"leftContent\":{\"columnMatch\":\"TotalMailsReceived\",\"formatter\":12,\"formatOptions\":{\"palette\":\"auto\"},\"numberFormat\":{\"unit\":17,\"options\":{\"maximumSignificantDigits\":3,\"maximumFractionDigits\":2}}},\"secondaryContent\":{\"columnMatch\":\"Trend\",\"formatter\":10,\"formatOptions\":{\"palette\":\"magenta\"}},\"showBorder\":false}},\"customWidth\":\"30\",\"name\":\"query - 10\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoSEGEvent\\r\\n| where NetworkDirection =~ 'Outgoing'\\r\\n| where isnotempty(SrcUserName)\\r\\n| summarize count() by SrcUserName\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Senders\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"33\",\"name\":\"query - 3\",\"styleSettings\":{\"margin\":\"10\",\"padding\":\"10\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoSEGEvent\\r\\n| where NetworkDirection =~ 'Incoming'\\r\\n| where isnotempty(DstUserName)\\r\\n| summarize count() by DstUserName\\r\\n| top 10 by count_\",\"size\":3,\"title\":\"Top Recipients\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"sortBy\":[{\"itemKey\":\"TotalEvents\",\"sortOrder\":2}]},\"customWidth\":\"33\",\"name\":\"query - 2\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoSEGEvent\\r\\n| where NetworkDirection =~ 'Incoming'\\r\\n| where SimplifiedDeviceAction =~ 'DELIVERED'\\r\\n| where tostring(AdditionalFields) has 'ESAAMPVerdict'\\r\\n| extend amp_verdict = extract(@'ESAAMPVerdict\\\":\\\"(NOT_EVALUATED|CLEAN|FA_PENDING|UNKNOWN|SKIPPED|UNSCANNABLE|LOW_RISK|MALICIOUS)\\\"', 1, tostring(AdditionalFields))\\r\\n| where amp_verdict =~ 'UNSCANNABLE'\\r\\n| extend Filename = replace_string(tostring(extract(@'\\\"ESAAttachmentDetails\\\":\\\"{(.*?):', 1, tostring(AdditionalFields))), \\\"'\\\", \\\"\\\")\\r\\n| order by TimeGenerated\\r\\n| project TimeGenerated, DstUserName, Filename\\r\\n\",\"size\":3,\"title\":\"Unscannable Files\",\"timeContext\":{\"durationMs\":7776000000},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"table\"},\"customWidth\":\"34\",\"name\":\"query - 1\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoSEGEvent\\r\\n| where NetworkDirection =~ 'Incoming'\\r\\n| where SimplifiedDeviceAction =~ 'DELIVERED'\\r\\n| where tostring(AdditionalFields) has 'ESAAMPVerdict'\\r\\n| extend amp_verdict = extract(@'ESAAMPVerdict\\\":\\\"(NOT_EVALUATED|CLEAN|FA_PENDING|UNKNOWN|SKIPPED|UNSCANNABLE|LOW_RISK|MALICIOUS)\\\"', 1, tostring(AdditionalFields))\\r\\n| where amp_verdict =~ 'MALICIOUS'\\r\\n| extend Filename = replace_string(tostring(extract(@'\\\"ESAAttachmentDetails\\\":\\\"{(.*?):', 1, tostring(AdditionalFields))), \\\"'\\\", \\\"\\\")\\r\\n| summarize count() by Filename\\r\\n\",\"size\":3,\"title\":\"Top Malicious Attachments\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\",\"gridSettings\":{\"rowLimit\":50,\"filter\":true}},\"customWidth\":\"30\",\"name\":\"query - 8\"},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoSEGEvent\\r\\n | where NetworkDirection =~ 'Outgoing'\\r\\n | where tostring(AdditionalFields) has 'ESADLPVerdict'\\r\\n | extend dlp_verdict = extract(@'ESADLPVerdict\\\":\\\"(NOT_EVALUATED|NO TRIGGER|VIOLATION|NO VIOLATION)\\\"', 1, tostring(AdditionalFields))\\r\\n | where dlp_verdict =~ 'VIOLATION'\\r\\n | extend File = replace_string(tostring(extract(@'\\\"ESAAttachmentDetails\\\":\\\"{(.*?):', 1, tostring(AdditionalFields))), \\\"'\\\", \\\"\\\")\\r\\n | project TimeGenerated, SrcUserName, DstUserName, File\",\"size\":0,\"title\":\"Users with DLP Violation\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"gridSettings\":{\"rowLimit\":50}},\"customWidth\":\"40\",\"name\":\"query - 12\",\"styleSettings\":{\"maxWidth\":\"33\"}},{\"type\":3,\"content\":{\"version\":\"KqlItem/1.0\",\"query\":\"CiscoSEGEvent\\n | where TimeGenerated > ago(24h)\\n | where NetworkDirection =~ 'Incoming'\\n | extend act_det = extract(@'ESAFinalActionDetails\\\":\\\"(.*?)\\\"', 1, tostring(AdditionalFields))\\n | where act_det has 'To SPAM'\\n | summarize count() by SrcUserName\\n | top 10 by count_\\n\",\"size\":3,\"title\":\"SPAM Sources\",\"timeContext\":{\"durationMs\":0},\"timeContextFromParameter\":\"TimeRange\",\"queryType\":0,\"resourceType\":\"microsoft.operationalinsights/workspaces\",\"visualization\":\"piechart\"},\"customWidth\":\"30\",\"name\":\"query - 10\"}],\"fromTemplateId\":\"sentinel-CiscoSEGWorkbook\",\"$schema\":\"https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json\"}\r\n",
- "version": "1.0",
- "sourceId": "[variables('workspaceResourceId')]",
- "category": "sentinel"
+ "eTag": "*",
+ "displayName": "Cisco SEG - Top users receiving spam mails",
+ "category": "Hunting Queries",
+ "query": "CiscoSEGEvent\n| where TimeGenerated > ago(24h)\n| where NetworkDirection =~ 'Incoming'\n| where SimplifiedDeviceAction =~ 'QUARANTINED'\n| extend act_det = extract(@'ESAFinalActionDetails\":\"(.*?)\"', 1, tostring(AdditionalFields))\n| where act_det has 'To SPAM'\n| summarize count() by DstUserName\n| extend AccountCustomEntity = DstUserName\n",
+ "version": 2,
+ "tags": [
+ {
+ "name": "description",
+ "value": "Query searches for top users receiving spam mails."
+ },
+ {
+ "name": "tactics",
+ "value": "InitialAccess"
+ },
+ {
+ "name": "techniques",
+ "value": "T1566"
+ }
+ ]
}
},
{
"type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
"apiVersion": "2022-01-01-preview",
- "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]",
+ "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('HuntingQuery-', last(split(variables('huntingQueryId10'),'/'))))]",
"properties": {
- "description": "@{workbookKey=CiscoSEGWorkbook; logoFileName=cisco-logo-72px.svg; description=Sets the time name for analysis; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Cisco Secure Email Gateway; templateRelativePath=CiscoSEG.json; subtitle=; provider=Cisco}.description",
- "parentId": "[variables('workbookId1')]",
- "contentId": "[variables('_workbookContentId1')]",
- "kind": "Workbook",
- "version": "[variables('workbookVersion1')]",
+ "description": "CiscoSEG Hunting Query 10",
+ "parentId": "[variables('huntingQueryId10')]",
+ "contentId": "[variables('_huntingQuerycontentId10')]",
+ "kind": "HuntingQuery",
+ "version": "[variables('huntingQueryVersion10')]",
"source": {
"kind": "Solution",
"name": "CiscoSEG",
@@ -2839,34 +3145,39 @@
"email": "support@microsoft.com",
"tier": "Microsoft",
"link": "https://support.microsoft.com"
- },
- "dependencies": {
- "operator": "AND",
- "criteria": [
- {
- "contentId": "CommonSecurityLog",
- "kind": "DataType"
- },
- {
- "contentId": "CiscoSEG",
- "kind": "DataConnector"
- }
- ]
}
}
}
]
- }
+ },
+ "packageKind": "Solution",
+ "packageVersion": "[variables('_solutionVersion')]",
+ "packageName": "[variables('_solutionName')]",
+ "packageId": "[variables('_solutionId')]",
+ "contentSchemaVersion": "3.0.0",
+ "contentId": "[variables('_huntingQuerycontentId10')]",
+ "contentKind": "HuntingQuery",
+ "displayName": "Cisco SEG - Top users receiving spam mails",
+ "contentProductId": "[variables('_huntingQuerycontentProductId10')]",
+ "id": "[variables('_huntingQuerycontentProductId10')]",
+ "version": "[variables('huntingQueryVersion10')]"
}
},
{
- "type": "Microsoft.OperationalInsights/workspaces/providers/metadata",
- "apiVersion": "2022-01-01-preview",
+ "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages",
+ "apiVersion": "2023-04-01-preview",
"location": "[parameters('workspace-location')]",
"properties": {
- "version": "2.0.1",
+ "version": "3.0.0",
"kind": "Solution",
- "contentSchemaVersion": "2.0.0",
+ "contentSchemaVersion": "3.0.0",
+ "displayName": "CiscoSEG",
+ "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation",
+ "descriptionHtml": "Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThe Cisco Secure Email Gateway (SEG) solution provides the capability to ingest Cisco SEG Consolidated Event Logs into Microsoft Sentinel.
\n\nCiscoSEG via AMA - This data connector helps in ingesting CiscoSEG logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.
\nCiscoSEG via Legacy Agent - This data connector helps in ingesting CiscoSEG logs into your Log Analytics Workspace using the legacy Log Analytics agent.
\n
\nNOTE: Microsoft recommends installation of CiscoSEG via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.
\nData Connectors: 2, Parsers: 1, Workbooks: 1, Analytic Rules: 11, Hunting Queries: 10
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n",
+ "contentKind": "Solution",
+ "contentProductId": "[variables('_solutioncontentProductId')]",
+ "id": "[variables('_solutioncontentProductId')]",
+ "icon": "![](\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/cisco-logo-72px.svg\")
",
"contentId": "[variables('_solutionId')]",
"parentId": "[variables('_solutionId')]",
"source": {
@@ -2887,6 +3198,26 @@
"dependencies": {
"operator": "AND",
"criteria": [
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId1')]",
+ "version": "[variables('dataConnectorVersion1')]"
+ },
+ {
+ "kind": "DataConnector",
+ "contentId": "[variables('_dataConnectorContentId2')]",
+ "version": "[variables('dataConnectorVersion2')]"
+ },
+ {
+ "kind": "Parser",
+ "contentId": "[variables('_parserContentId1')]",
+ "version": "[variables('parserVersion1')]"
+ },
+ {
+ "kind": "Workbook",
+ "contentId": "[variables('_workbookContentId1')]",
+ "version": "[variables('workbookVersion1')]"
+ },
{
"kind": "AnalyticsRule",
"contentId": "[variables('analyticRulecontentId1')]",
@@ -2991,21 +3322,6 @@
"kind": "HuntingQuery",
"contentId": "[variables('_huntingQuerycontentId10')]",
"version": "[variables('huntingQueryVersion10')]"
- },
- {
- "kind": "Parser",
- "contentId": "[variables('_parserContentId1')]",
- "version": "[variables('parserVersion1')]"
- },
- {
- "kind": "DataConnector",
- "contentId": "[variables('_dataConnectorContentId1')]",
- "version": "[variables('dataConnectorVersion1')]"
- },
- {
- "kind": "Workbook",
- "contentId": "[variables('_workbookContentId1')]",
- "version": "[variables('workbookVersion1')]"
}
]
},
diff --git a/Solutions/CiscoSEG/ReleaseNotes.md b/Solutions/CiscoSEG/ReleaseNotes.md
new file mode 100644
index 00000000000..3ab230e52a8
--- /dev/null
+++ b/Solutions/CiscoSEG/ReleaseNotes.md
@@ -0,0 +1,5 @@
+| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** |
+|-------------|--------------------------------|--------------------------------------------------------------------|
+| 3.0.0 | 28-09-2023 | Addition of new CiscoSEG AMA **Data Connector** | |
+
+
diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
index e6cde3022d9..67f32faea0e 100644
--- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
+++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json
@@ -3583,7 +3583,8 @@
"CommonSecurityLog"
],
"dataConnectorsDependencies": [
- "CiscoSEG"
+ "CiscoSEG",
+ "CiscoSEGAma"
],
"previewImagesFileNames": [
"CiscoSEGBlack.png",