Skip to content

Commit

Permalink
Merge branch 'master' into v-rusraut/CrowdStrikeFalconEndpointProtect…
Browse files Browse the repository at this point in the history
…ion-MMAtoAMAMigration
  • Loading branch information
v-rusraut committed Oct 3, 2023
2 parents c405c57 + e9383c2 commit 322fd8c
Show file tree
Hide file tree
Showing 88 changed files with 12,168 additions and 8,597 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -205,9 +205,13 @@
"PingFederateAma",
"vArmourACAma",
"ContrastProtectAma",
"InfobloxCloudDataConnectorAma",
"ClarotyAma",
"illusiveAttackManagementSystemAma",
"TrendMicroApexOneAma",
"CrowdStrikeFalconEndpointProtectionAma",
"PaloAltoCDLAma"
"PaloAltoCDLAma",
"PaloAltoNetworksAma",
"PaloAltoCDLAma",
"CiscoSEGAma"
]
27 changes: 16 additions & 11 deletions Detections/AzureActivity/RareRunCommandPowerShellScript.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -40,7 +40,7 @@ query: |
| extend Scope_s = split(Scope, "/")
| extend Subscription = tostring(Scope_s[2])
| extend VirtualMachineName = tostring(Scope_s[-1])
| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress
| project StartTime, EndTime, Subscription, VirtualMachineName, CorrelationId, Caller, CallerIpAddress=max_CallerIpAddress, Scope
| join kind=leftouter (
DeviceFileEvents
| where InitiatingProcessFileName == "RunCommandExtension.exe"
Expand All @@ -49,7 +49,7 @@ query: |
) on VirtualMachineName
// We need to filter by time sadly, this is the only way to link events
| where PowershellFileCreatedTimestamp between (StartTime .. EndTime)
| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath
| project StartTime, EndTime, PowershellFileCreatedTimestamp, VirtualMachineName, Caller, CallerIpAddress, FileName, FileSize, InitiatingProcessId, InitiatingProcessAccountDomain, InitiatingProcessFolderPath, Scope
| join kind=inner(
DeviceEvents
| extend VirtualMachineName = tostring(split(DeviceName, ".")[0])
Expand All @@ -66,7 +66,7 @@ query: |
| order by PSCommand asc
| summarize PowershellExecStartTime=min(TimeGenerated), PowershellExecEnd=max(TimeGenerated), make_list(PSCommand) by PowershellFileName, InitiatingProcessCommandLine
) on $left.FileName == $right.PowershellFileName
| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName
| project StartTime, EndTime, PowershellFileCreatedTimestamp, PowershellExecStartTime, PowershellExecEnd, PowershellFileName, PowershellScriptCommands=list_PSCommand, Caller, CallerIpAddress, InitiatingProcessCommandLine, PowershellFileSize=FileSize, VirtualMachineName, Scope
| order by StartTime asc
// We generate the hash based on the cmdlets called and the size of the powershell script
| extend TempFingerprintString = strcat(PowershellScriptCommands, PowershellFileSize)
Expand All @@ -83,28 +83,33 @@ query: |
| extend Prevalence = toreal(HashCount) / toreal(totals) * 100
// Where the hash was only ever seen once.
| where HashCount == 1
| extend timestamp = StartTime, IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, HostCustomEntity=VirtualMachineName
| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, IPCustomEntity, AccountCustomEntity, HostCustomEntity
| extend timestamp = StartTime
| extend CallerName = tostring(split(Caller, "@")[0]), CallerUPNSuffix = tostring(split(Caller, "@")[1])
| project timestamp, StartTime, EndTime, PowershellFileName, VirtualMachineName, Caller, CallerName, CallerUPNSuffix, CallerIpAddress, PowershellScriptCommands, PowershellFileSize, ScriptFingerprintHash, Prevalence, Scope
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- identifier: Name
columnName: CallerName
- identifier: UPNSuffix
columnName: CallerUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
columnName: CallerIpAddress
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: HostCustomEntity
version: 1.0.5
columnName: VirtualMachineName
- identifier: AzureID
columnName: Scope
version: 1.0.6
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Pete Bryan
name: Microsoft Security Research
support:
tier: Community
categories:
Expand Down
8 changes: 4 additions & 4 deletions Detections/AzureAppServices/AVScan_Failure.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,13 @@ query: |
let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where ScanStatus == "Failed"
| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated
| extend timestamp = TimeGenerated
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.0.2
- identifier: AzureID
columnName: _ResourceId
version: 1.0.3
kind: Scheduled
metadata:
source:
Expand Down
8 changes: 4 additions & 4 deletions Detections/AzureAppServices/AVScan_Infected_Files_Found.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,13 @@ query: |
let timeframe = ago(1d);
AppServiceAntivirusScanAuditLogs
| where NumberOfInfectedFiles > 0
| extend HostCustomEntity = _ResourceId, timestamp = TimeGenerated
| extend timestamp = TimeGenerated
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
version: 1.0.2
- identifier: AzureID
columnName: _ResourceId
version: 1.0.3
kind: Scheduled
metadata:
source:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -19,17 +19,17 @@ query: |
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), NumberOfErrors = dcount(SourceIP) by HostName, SourceIP
| where NumberOfErrors > 400
| sort by NumberOfErrors desc
| extend timestamp = StartTime, HostCustomEntity = HostName, IPCustomEntity = SourceIP
| extend timestamp = StartTime
entityMappings:
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
- identifier: HostName
columnName: HostName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.2
columnName: SourceIP
version: 1.0.3
kind: Scheduled
metadata:
source:
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -27,26 +27,28 @@ query: |
| where not(FolderPath has_any (excludeProcs))
| extend
timestamp = TimeGenerated,
AccountCustomEntity = iff(isnotempty(InitiatingProcessAccountUpn), InitiatingProcessAccountUpn, InitiatingProcessAccountName),
HostCustomEntity = DeviceName,
AlgorithmCustomEntity = "MD5",
FileHashCustomEntity = MD5
InitiatingProcessAccountUPNSuffix = tostring(split(InitiatingProcessAccountUpn, "@")[1]),
Algorithm = "MD5"
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- identifier: Name
columnName: InitiatingProcessAccountName
- identifier: NTDomain
columnName: InitiatingProcessAccountDomain
- identifier: Sid
columnName: InitiatingProcessAccountSid
- entityType: Host
fieldMappings:
- identifier: FullName
columnName: HostCustomEntity
- identifier: HostName
columnName: DeviceName
- entityType: FileHash
fieldMappings:
- identifier: Algorithm
columnName: AlgorithmCustomEntity
columnName: Algorithm
- identifier: Value
columnName: FileHashCustomEntity
version: 1.0.3
columnName: MD5
version: 1.0.4
kind: Scheduled
metadata:
source:
Expand Down
13 changes: 7 additions & 6 deletions Detections/LAQueryLogs/UserSearchingForVIPUserActivity.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -26,24 +26,25 @@ query: |
| where QueryText has_any (vips) or QueryText has_any ('_GetWatchlist("VIPUsers")', "_GetWatchlist('VIPUsers')")
| where AADEmail !in (allowed_users)
| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail
| extend timestamp = TimeGenerated, AccountName = tostring(split(AADEmail, "@")[0]), AccountUPNSuffix = tostring(split(AADEmail, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: RequestTarget
version: 1.1.2
version: 1.1.3
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Pete Bryan
name: Microsoft Security Research
support:
tier: Community
categories:
Expand Down
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"id": "CiscoFirepowerEStreamer",
"title": "Cisco Firepower eStreamer",
"title": "[Deprecated] Cisco Firepower eStreamer via Legacy Agent",
"publisher": "Cisco",
"descriptionMarkdown": "eStreamer is a Client Server API designed for the Cisco Firepower NGFW Solution. The eStreamer client requests detailed event data on behalf of the SIEM or logging solution in the Common Event Format (CEF).",
"graphQueries": [
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,141 @@
{
"id": "CiscoFirepowerEStreamerAma",
"title": "[Recommended] Cisco Firepower eStreamer via Legacy Agent via AMA",
"publisher": "Cisco",
"descriptionMarkdown": "eStreamer is a Client Server API designed for the Cisco Firepower NGFW Solution. The eStreamer client requests detailed event data on behalf of the SIEM or logging solution in the Common Event Format (CEF).",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "CiscoFirepowerEstreamerCEF",
"baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'Firepower'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)"
}
],
"sampleQueries": [
{
"description" : "Firewall Blocked Events",
"query": "CommonSecurityLog\n| where DeviceVendor == \"Cisco\"\n| where DeviceProduct == \"Firepower\" | where DeviceAction != \"Allow\""
},
{
"description" : "File Malware Events",
"query": "CommonSecurityLog\n| where DeviceVendor == \"Cisco\"\n| where DeviceProduct == \"Firepower\" | where Activity == \"File Malware Event\""
},
{
"description" : "Outbound Web Traffic Port 80",
"query": "CommonSecurityLog\n| where DeviceVendor == \"Cisco\"\n| where DeviceProduct == \"Firepower\" | where DestinationPort == \"80\""
}
],
"dataTypes": [
{
"name": "CommonSecurityLog (CiscoFirepowerEstreamerCEF)",
"lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'Firepower'\n |where DeviceProduct =~ '\"Firepower'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"CommonSecurityLog\n |where DeviceVendor =~ 'Cisco'\n |where DeviceProduct =~ 'Firepower'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"read": true,
"write": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
],
"customs": [
{
"description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)"
},
{
"description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)"
}
]
},
"instructionSteps": [
{
"title": "",
"description": "",
"instructions": [
{
"parameters": {
"title": "1. Kindly follow the steps to configure the data connector",
"instructionSteps": [
{
"title": "Step A. Configure the Common Event Format (CEF) via AMA data connector",
"description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine",
"instructions": [
]
},
{
"title": "Step B. Install the Firepower eNcore client",
"description": "Install and configure the Firepower eNcore eStreamer client, for more details see full install [guide](https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html)",
"innerSteps": [
{
"title": "1. Download the Firepower Connector from github",
"description": "Download the latest version of the Firepower eNcore connector for Microsoft Sentinel [here](https://github.com/CiscoSecurity/fp-05-microsoft-sentinel-connector). If you plan on using python3 use the [python3 eStreamer connector](https://github.com/CiscoSecurity/fp-05-microsoft-sentinel-connector/tree/python3)"
},
{
"title": "2. Create a pkcs12 file using the Azure/VM Ip Address",
"description": "Create a pkcs12 certificate using the public IP of the VM instance in Firepower under System->Integration->eStreamer, for more information please see install [guide](https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html#_Toc527049443)"
},
{
"title": "3. Test Connectivity between the Azure/VM Client and the FMC",
"description": "Copy the pkcs12 file from the FMC to the Azure/VM instance and run the test utility (./encore.sh test) to ensure a connection can be established, for more details please see the setup [guide](https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html#_Toc527049430)"
},
{
"title": "4. Configure encore to stream data to the agent",
"description": "Configure encore to stream data via TCP to the Microsoft Agent, this should be enabled by default, however, additional ports and streaming protocols can configured depending on your network security posture, it is also possible to save the data to the file system, for more information please see [Configure Encore](https://www.cisco.com/c/en/us/td/docs/security/firepower/670/api/eStreamer_enCore/eStreamereNcoreSentinelOperationsGuide_409.html#_Toc527049433)"
}
]
},
{
"title": "Step C. Validate connection",
"description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine",
"instructions": [
{
"parameters": {
"label": "Run the following command to validate your connectivity:",
"value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef"
},
"type": "CopyableLabel"
}
]
}
]
},
"type": "InstructionStepsGroup"
}

]
},


{
"title": "2. Secure your machine ",
"description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)"
}
]
}
Loading

0 comments on commit 322fd8c

Please sign in to comment.