diff --git a/Solutions/DNS Essentials/Data/Solution_DNS.json b/Solutions/DNS Essentials/Data/Solution_DNS.json index d17f17b8860..8f737b2e233 100644 --- a/Solutions/DNS Essentials/Data/Solution_DNS.json +++ b/Solutions/DNS Essentials/Data/Solution_DNS.json @@ -14,7 +14,8 @@ "Analytic Rules/PotentialDGADetectedviaRepetitiveFailuresAnomalyBased.yaml", "Analytic Rules/PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased.yaml", "Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountAnomalyBased.yaml", - "Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased.yaml" + "Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased.yaml", + "Analytic Rules/NgrokReverseProxyOnNetwork.yaml" ], "Playbooks": [ "Playbooks/SummarizeData_DNSEssentials/azuredeploy.json" @@ -32,7 +33,7 @@ "Hunting Queries/UnexpectedTopLevelDomains.yaml" ], "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\DNS Essentials", - "Version": "3.0.1", + "Version": "3.0.2", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1PConnector": false diff --git a/Solutions/DNS Essentials/Package/3.0.2.zip b/Solutions/DNS Essentials/Package/3.0.2.zip new file mode 100644 index 00000000000..eed12f4d2b0 Binary files /dev/null and b/Solutions/DNS Essentials/Package/3.0.2.zip differ diff --git a/Solutions/DNS Essentials/Package/createUiDefinition.json b/Solutions/DNS Essentials/Package/createUiDefinition.json index c20d73d5e2c..28c8268560d 100644 --- a/Solutions/DNS Essentials/Package/createUiDefinition.json +++ b/Solutions/DNS Essentials/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/DNS%20Essentials/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Windows Server DNS \n 2. Azure Firewall \n 3. Cisco Umbrella \n 4. Corelight Zeek \n 5. Google Cloud Platform DNS \n 6. Infoblox NIOS \n 7. ISC Bind \n 8. Vectra AI \n 9. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize Data for DNS Essentials Solution** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 8, **Hunting Queries:** 10, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/DNS%20Essentials/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThis is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Windows Server DNS \n 2. Azure Firewall \n 3. Cisco Umbrella \n 4. Corelight Zeek \n 5. Google Cloud Platform DNS \n 6. Infoblox NIOS \n 7. ISC Bind \n 8. Vectra AI \n 9. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize Data for DNS Essentials Solution** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.\n\n**Workbooks:** 1, **Analytic Rules:** 9, **Hunting Queries:** 10, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -230,6 +230,20 @@ } } ] + }, + { + "name": "analytic9", + "type": "Microsoft.Common.Section", + "label": "Ngrok Reverse Proxy on Network (ASIM DNS Solution)", + "elements": [ + { + "name": "analytic9-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently." + } + } + ] } ] }, diff --git a/Solutions/DNS Essentials/Package/mainTemplate.json b/Solutions/DNS Essentials/Package/mainTemplate.json index 38921c0b116..6ed70120b85 100644 --- a/Solutions/DNS Essentials/Package/mainTemplate.json +++ b/Solutions/DNS Essentials/Package/mainTemplate.json @@ -41,7 +41,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "DNS Essentials", - "_solutionVersion": "3.0.1", + "_solutionVersion": "3.0.2", "solutionId": "azuresentinel.azure-sentinel-solution-dns-domain", "_solutionId": "[variables('solutionId')]", "workbookVersion1": "1.0.0", @@ -107,6 +107,13 @@ "analyticRuleTemplateSpecName8": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('77b7c820-5f60-4779-8bdb-f06e21add5f1')))]", "_analyticRulecontentProductId8": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','77b7c820-5f60-4779-8bdb-f06e21add5f1','-', '1.0.2')))]" }, + "analyticRuleObject9": { + "analyticRuleVersion9": "1.0.0", + "_analyticRulecontentId9": "50b0dfb7-2c94-4eaf-a332-a5936d78c263", + "analyticRuleId9": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', '50b0dfb7-2c94-4eaf-a332-a5936d78c263')]", + "analyticRuleTemplateSpecName9": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring('50b0dfb7-2c94-4eaf-a332-a5936d78c263')))]", + "_analyticRulecontentProductId9": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-','50b0dfb7-2c94-4eaf-a332-a5936d78c263','-', '1.0.0')))]" + }, "SummarizeData_DNSEssentials": "SummarizeData_DNSEssentials", "_SummarizeData_DNSEssentials": "[variables('SummarizeData_DNSEssentials')]", "playbookVersion1": "1.0", @@ -177,7 +184,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DNSSolutionWorkbook Workbook with template version 3.0.1", + "description": "DNSSolutionWorkbook Workbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -252,7 +259,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExcessiveNXDOMAINDNSQueriesAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "ExcessiveNXDOMAINDNSQueriesAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject1').analyticRuleVersion1]", @@ -262,7 +269,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject1')._analyticRulecontentId1]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -278,7 +285,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -288,21 +294,21 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "baseline": "baseline", "AnomalyScore": "score", + "baseline": "baseline", "Total": "Total", "DNSQueries": "DNSQueries" }, @@ -363,7 +369,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExcessiveNXDOMAINDNSQueriesStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "ExcessiveNXDOMAINDNSQueriesStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject2').analyticRuleVersion2]", @@ -373,7 +379,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject2')._analyticRulecontentId2]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -389,7 +395,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -399,13 +404,13 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { @@ -473,7 +478,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleErrorsReportedForSameDNSQueryAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "MultipleErrorsReportedForSameDNSQueryAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject3').analyticRuleVersion3]", @@ -483,7 +488,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject3')._analyticRulecontentId3]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -499,7 +504,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -510,23 +514,23 @@ ], "entityMappings": [ { - "entityType": "DNS", "fieldMappings": [ { - "columnName": "DnsQuery", - "identifier": "DomainName" + "identifier": "DomainName", + "columnName": "DnsQuery" } - ] + ], + "entityType": "DNS" } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "baseline": "baseline", "AnomalyScore": "score", - "TotalIPs": "TotalIPs", - "SrcIps": "SrcIps" + "SrcIps": "SrcIps", + "baseline": "baseline", + "TotalIPs": "TotalIPs" }, "alertDetailsOverride": { "alertDescriptionFormat": "Multiple errors were detected on different clients for the same DNS query. These unsuccessful responses can be an indication of C2 communication. \n\nBaseline for total clients reporting errors for this DNS query: '{{baseline}}'\n\nCurrent count of clients reporting errors for this DNS query: '{{TotalIPs}}'\n\nClients requesting this DNS query include:\n'{{SrcIps}}'", @@ -585,7 +589,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "MultipleErrorsReportedForSameDNSQueryStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "MultipleErrorsReportedForSameDNSQueryStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject4').analyticRuleVersion4]", @@ -595,7 +599,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject4')._analyticRulecontentId4]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -611,7 +615,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -622,62 +625,62 @@ ], "entityMappings": [ { - "entityType": "DNS", "fieldMappings": [ { - "columnName": "DnsQuery", - "identifier": "DomainName" + "identifier": "DomainName", + "columnName": "DnsQuery" } - ] + ], + "entityType": "DNS" }, { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIP", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIP" } - ] + ], + "entityType": "IP" }, { - "entityType": "AzureResource", "fieldMappings": [ { - "columnName": "ResourceId", - "identifier": "ResourceId" + "identifier": "ResourceId", + "columnName": "ResourceId" } - ] + ], + "entityType": "AzureResource" }, { - "entityType": "Url", "fieldMappings": [ { - "columnName": "DnsQuery", - "identifier": "Url" + "identifier": "Url", + "columnName": "DnsQuery" } - ] + ], + "entityType": "Url" }, { - "entityType": "Host", "fieldMappings": [ { - "columnName": "HostName", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "HostName" }, { - "columnName": "HostNameDomain", - "identifier": "NTDomain" + "identifier": "NTDomain", + "columnName": "HostNameDomain" } - ] + ], + "entityType": "Host" } ], "eventGroupingSettings": { "aggregationKind": "SingleAlert" }, "customDetails": { - "TotalIPs": "TotalIPs", "IPCountthreshold": "IPCountthreshold", - "SrcIPs": "SrcIPs" + "SrcIPs": "SrcIPs", + "TotalIPs": "TotalIPs" }, "alertDetailsOverride": { "alertDescriptionFormat": "Multiple errors were detected on different clients for the same DNS query. These unsuccessful responses can be an indication of C2 communication. \n\nThreshold for total clients reporting errors: '{{IPCountthreshold}}'\n\nCurrent count of clients reporting errors for this DNS query: '{{TotalIPs}}'\n\nClients requesting this DNSQuery include:\n\n'{{SrcIPs}}'", @@ -736,7 +739,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialDGADetectedviaRepetitiveFailuresAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PotentialDGADetectedviaRepetitiveFailuresAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject5').analyticRuleVersion5]", @@ -746,7 +749,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject5')._analyticRulecontentId5]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -762,7 +765,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -772,21 +774,21 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "baseline": "baseline", "AnomalyScore": "score", + "baseline": "baseline", "Total": "Total", "DNSQueries": "DNSQueries" }, @@ -847,7 +849,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject6').analyticRuleVersion6]", @@ -857,7 +859,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject6')._analyticRulecontentId6]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -873,7 +875,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "CommandAndControl" ], @@ -883,22 +884,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "DNSQueryThreshold": "DNSQueryThreshold", "DNSQueryCount": "DNSQueryCount", - "DNSQueries": "DNSQueries" + "DNSQueries": "DNSQueries", + "DNSQueryThreshold": "DNSQueryThreshold" }, "alertDetailsOverride": { "alertDescriptionFormat": "Client has been identified with high NXDomain count which could be indicative of a DGA (cycling through possible C2 domains where most C2s are not live). This client is found to be communicating with multiple Domains which do not exist.\n\nDGA DNS query count baseline is: '{{DNSQueryThreshold}}'\n\nCurrent failed DNS query count from this client: '{{DNSQueryCount}}'\n\nDNS queries requested by this client inlcude: '{{DNSQueries}}'", @@ -957,7 +958,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareClientObservedWithHighReverseDNSLookupCountAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "RareClientObservedWithHighReverseDNSLookupCountAnomalyBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject7').analyticRuleVersion7]", @@ -967,7 +968,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject7')._analyticRulecontentId7]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -983,7 +984,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "Reconnaissance" ], @@ -992,21 +992,21 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "baseline": "baseline", "AnomalyScore": "score", + "baseline": "baseline", "Total": "Total", "DNSQueries": "DNSQueries" }, @@ -1067,7 +1067,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.1", + "description": "RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased_AnalyticalRules Analytics Rule with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleObject8').analyticRuleVersion8]", @@ -1077,7 +1077,7 @@ { "type": "Microsoft.SecurityInsights/AlertRuleTemplates", "name": "[variables('analyticRuleObject8')._analyticRulecontentId8]", - "apiVersion": "2022-04-01-preview", + "apiVersion": "2023-02-01-preview", "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { @@ -1093,7 +1093,6 @@ "triggerOperator": "GreaterThan", "triggerThreshold": 0, "status": "Available", - "requiredDataConnectors": [], "tactics": [ "Reconnaissance" ], @@ -1102,22 +1101,22 @@ ], "entityMappings": [ { - "entityType": "IP", "fieldMappings": [ { - "columnName": "SrcIpAddr", - "identifier": "Address" + "identifier": "Address", + "columnName": "SrcIpAddr" } - ] + ], + "entityType": "IP" } ], "eventGroupingSettings": { "aggregationKind": "AlertPerResult" }, "customDetails": { - "DNSQuerythreshold": "DNSQuerythreshold", "DNSQueryCount": "DNSQueryCount", - "DNSQueries": "DNSQueries" + "DNSQueries": "DNSQueries", + "DNSQuerythreshold": "DNSQuerythreshold" }, "alertDetailsOverride": { "alertDescriptionFormat": "Client identified as making high reverse DNS counts which could be carrying out reconnaissance or discovery activity.\n\nReverse DNS lookup threshold is: '{{DNSQuerythreshold}}'\n\nCurrent reverse DNS lookup count from this client is : '{{DNSQueryCount}}'\n\nDNS queries requested by this client inlcude: '{{DNSQueries}}'", @@ -1167,6 +1166,116 @@ "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" } }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('analyticRuleObject9').analyticRuleTemplateSpecName9]", + "location": "[parameters('workspace-location')]", + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], + "properties": { + "description": "NgrokReverseProxyOnNetwork_AnalyticalRules Analytics Rule with template version 3.0.2", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "type": "Microsoft.SecurityInsights/AlertRuleTemplates", + "name": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "apiVersion": "2023-02-01-preview", + "kind": "Scheduled", + "location": "[parameters('workspace-location')]", + "properties": { + "description": "This detection identifies the top four Ngrok domains from DNS resolution. Ngrok reverse proxy can bypass network defense. While not inherently harmful, it has been used for malicious activities recently.", + "displayName": "Ngrok Reverse Proxy on Network (ASIM DNS Solution)", + "enabled": false, + "query": "// Define a list of Ngrok domains\nlet NgrokDomains = dynamic([\"ngrok.com\", \"ngrok.io\", \"ngrok\", \"tunnel.com\", \"korgn\", \"lennut.com\"]);\n// Query the _Im_Dns function for the past 1 hour\n_Im_Dns(starttime=ago(1h))\n| where isnotempty(DnsQuery) // Filter out empty DNS queries\n| where DnsQuery has_any (NgrokDomains) // Filter DNS queries that match any of the Ngrok domains\n| summarize Starttime = min(EventStartTime),Endtime=max(EventEndTime),EventsCount=sum(EventCount),EventResults=make_set(EventResult,4) by DnsQuery, Domain, SrcIpAddr, Dvc\n// Summarize the data by Domain, DNS query, source IP address, and device Dvc\n", + "queryFrequency": "PT1H", + "queryPeriod": "PT1H", + "severity": "Medium", + "suppressionDuration": "PT1H", + "suppressionEnabled": false, + "triggerOperator": "GreaterThan", + "triggerThreshold": 0, + "status": "Available", + "tactics": [ + "CommandAndControl" + ], + "techniques": [ + "T1572", + "T1090", + "T1102" + ], + "entityMappings": [ + { + "fieldMappings": [ + { + "identifier": "Address", + "columnName": "SrcIpAddr" + } + ], + "entityType": "IP" + }, + { + "fieldMappings": [ + { + "identifier": "DomainName", + "columnName": "Domain" + } + ], + "entityType": "DNS" + } + ], + "eventGroupingSettings": { + "aggregationKind": "AlertPerResult" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2022-01-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('AnalyticsRule-', last(split(variables('analyticRuleObject9').analyticRuleId9,'/'))))]", + "properties": { + "description": "DNS Essentials Analytics Rule 9", + "parentId": "[variables('analyticRuleObject9').analyticRuleId9]", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "kind": "AnalyticsRule", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]", + "source": { + "kind": "Solution", + "name": "DNS Essentials", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "Microsoft", + "email": "[variables('_email')]" + }, + "support": { + "name": "Microsoft Corporation", + "email": "support@microsoft.com", + "tier": "Microsoft", + "link": "https://support.microsoft.com" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "contentKind": "AnalyticsRule", + "displayName": "Ngrok Reverse Proxy on Network (ASIM DNS Solution)", + "contentProductId": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "id": "[variables('analyticRuleObject9')._analyticRulecontentProductId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + } + }, { "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", "apiVersion": "2023-04-01-preview", @@ -1176,7 +1285,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "SummarizeDNSData_DNSEssentials Playbook with template version 3.0.1", + "description": "SummarizeDNSData_DNSEssentials Playbook with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('playbookVersion1')]", @@ -1685,7 +1794,7 @@ "Initial version" ] }, - "lastUpdateTime": "2024-01-31T14:39:27.720Z" + "lastUpdateTime": "2024-03-12T17:30:34.996Z" } }, "packageKind": "Solution", @@ -1710,7 +1819,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "AnomalousIncreaseInDNSActivityByClients_HuntingQueries Hunting Query with template version 3.0.1", + "description": "AnomalousIncreaseInDNSActivityByClients_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject1').huntingQueryVersion1]", @@ -1795,7 +1904,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ConnectionToUnpopularWebsiteDetected_HuntingQueries Hunting Query with template version 3.0.1", + "description": "ConnectionToUnpopularWebsiteDetected_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject2').huntingQueryVersion2]", @@ -1880,7 +1989,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CVE-2020-1350 (SIGRED)ExploitationPattern_HuntingQueries Hunting Query with template version 3.0.1", + "description": "CVE-2020-1350 (SIGRED)ExploitationPattern_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject3').huntingQueryVersion3]", @@ -1965,7 +2074,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DNSQueryWithFailuresInLast24Hours_HuntingQueries Hunting Query with template version 3.0.1", + "description": "DNSQueryWithFailuresInLast24Hours_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject4').huntingQueryVersion4]", @@ -2050,7 +2159,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "DomainsWithLargeNumberOfSubDomains_HuntingQueries Hunting Query with template version 3.0.1", + "description": "DomainsWithLargeNumberOfSubDomains_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject5').huntingQueryVersion5]", @@ -2135,7 +2244,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "IncreaseInDNSRequestsByClientThanTheDailyAverageCount_HuntingQueries Hunting Query with template version 3.0.1", + "description": "IncreaseInDNSRequestsByClientThanTheDailyAverageCount_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject6').huntingQueryVersion6]", @@ -2220,7 +2329,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PossibleDNSTunnelingOrDataExfiltrationActivity_HuntingQueries Hunting Query with template version 3.0.1", + "description": "PossibleDNSTunnelingOrDataExfiltrationActivity_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject7').huntingQueryVersion7]", @@ -2305,7 +2414,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "PotentialBeaconingActivity_HuntingQueries Hunting Query with template version 3.0.1", + "description": "PotentialBeaconingActivity_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject8').huntingQueryVersion8]", @@ -2390,7 +2499,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Sources(Clients)WithHighNumberOfErrors_HuntingQueries Hunting Query with template version 3.0.1", + "description": "Sources(Clients)WithHighNumberOfErrors_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject9').huntingQueryVersion9]", @@ -2475,7 +2584,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "UnexpectedTopLevelDomains_HuntingQueries Hunting Query with template version 3.0.1", + "description": "UnexpectedTopLevelDomains_HuntingQueries Hunting Query with template version 3.0.2", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('huntingQueryObject10').huntingQueryVersion10]", @@ -2556,12 +2665,12 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.1", + "version": "3.0.2", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "DNS Essentials", "publisherDisplayName": "Microsoft Sentinel, Microsoft Corporation", - "descriptionHtml": "
Note: There may be known issues pertaining to this Solution, please refer to them before installing.
\nThis is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the ASIM.
\nPrerequisite :-
\nInstall one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\nRecommendation :-
\nIt is highly recommended to use the Summarize Data for DNS Essentials Solution logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.
\nWorkbooks: 1, Analytic Rules: 8, Hunting Queries: 10, Playbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", + "descriptionHtml": "Note: Please refer to the following before installing the solution:
\n• Review the solution Release Notes
\n• There may be known issues pertaining to this Solution, please refer to them before installing.
\nThis is a domain solution and does not include any data connectors. The content in this solution requires one of the product solutions below, as well as any other connector or data source normalized to the ASIM.
\nPrerequisite :-
\nInstall one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.
\nUnderlying Microsoft Technologies used:
\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs:
\nRecommendation :-
\nIt is highly recommended to use the Summarize Data for DNS Essentials Solution logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.
\nWorkbooks: 1, Analytic Rules: 9, Hunting Queries: 10, Playbooks: 1
\nLearn more about Microsoft Sentinel | Learn more about Solutions
\n", "contentKind": "Solution", "contentProductId": "[variables('_solutioncontentProductId')]", "id": "[variables('_solutioncontentProductId')]", @@ -2631,6 +2740,11 @@ "contentId": "[variables('analyticRuleObject8')._analyticRulecontentId8]", "version": "[variables('analyticRuleObject8').analyticRuleVersion8]" }, + { + "kind": "AnalyticsRule", + "contentId": "[variables('analyticRuleObject9')._analyticRulecontentId9]", + "version": "[variables('analyticRuleObject9').analyticRuleVersion9]" + }, { "kind": "Playbook", "contentId": "[variables('_SummarizeData_DNSEssentials')]", diff --git a/Solutions/DNS Essentials/ReleaseNotes.md b/Solutions/DNS Essentials/ReleaseNotes.md index f9aa8fc9179..6339203e854 100644 --- a/Solutions/DNS Essentials/ReleaseNotes.md +++ b/Solutions/DNS Essentials/ReleaseNotes.md @@ -1,3 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|--------------------------------------------------------------------| | 3.0.1 | 31-01-2023 | Updated the solution to fix Analytic Rules deployment issue | +| 3.0.2 | 12-03-2024 | Added new Analytic rule and repackaged solution |