diff --git a/.script/tests/KqlvalidationsTests/CustomTables/CloudAppEvents.json b/.script/tests/KqlvalidationsTests/CustomTables/CloudAppEvents.json index ce4ddf7330b..e45f4f91ccc 100644 --- a/.script/tests/KqlvalidationsTests/CustomTables/CloudAppEvents.json +++ b/.script/tests/KqlvalidationsTests/CustomTables/CloudAppEvents.json @@ -140,6 +140,10 @@ { "name": "Type", "type": "String" + }, + { + "name": "PerformedByDisplayName", + "type": "String" } ] } \ No newline at end of file diff --git a/ASIM/schemas/ASimDHCPEvent.yaml b/ASIM/schemas/ASimDHCPEvent.yaml index ef5a55b7235..ce3ec5258f4 100644 --- a/ASIM/schemas/ASimDHCPEvent.yaml +++ b/ASIM/schemas/ASimDHCPEvent.yaml @@ -135,10 +135,4 @@ Fields: - Name: DhcpUserClass Class: Optional Type: string - Description: The DHCP User Class, as defined by RFC3004. - -- Name: SrcMacAddr - Class: Optional - Type: string - Description: The MAC address of the network interface from which the connection or session originated. - Example: '06:10:9f:eb:8f:14' \ No newline at end of file + Description: The DHCP User Class, as defined by RFC3004. \ No newline at end of file diff --git a/ASIM/schemas/entities/ASimApp.yaml b/ASIM/schemas/entities/ASimApp.yaml index 9bee28ddff8..c6942117f58 100644 --- a/ASIM/schemas/entities/ASimApp.yaml +++ b/ASIM/schemas/entities/ASimApp.yaml @@ -28,4 +28,4 @@ Fields: Type: string Class: Optional Description: The user agent header accosiated with the application, when communicating using HTTP or HTTPS. - For roles: [ Actor, Src ] + For roles: [ Actor, Src, Acting ] diff --git a/ASIM/schemas/entities/ASimSystem.yaml b/ASIM/schemas/entities/ASimSystem.yaml index b5af881fd85..1d54fba8759 100644 --- a/ASIM/schemas/entities/ASimSystem.yaml +++ b/ASIM/schemas/entities/ASimSystem.yaml @@ -34,6 +34,12 @@ Fields: Logical type: Hostname Description: The device hostname, excluding domain information. If no device name is available, store the relevant IP address in this field. +- Name: <>MacAddr + Type: string + Class: Optional + Logical type: MAC address + Description: The MAC address of the device. + - Name: <>Domain Type: string Class: Optional diff --git a/Hunting Queries/Microsoft 365 Defender/Cloud Apps/aad-group-adds.yaml b/Hunting Queries/Microsoft 365 Defender/Cloud Apps/aad-group-adds.yaml new file mode 100644 index 00000000000..4e0a3d965dd --- /dev/null +++ b/Hunting Queries/Microsoft 365 Defender/Cloud Apps/aad-group-adds.yaml @@ -0,0 +1,28 @@ +id: f5e4d3c2-b1a0-4f9d-8e7c-6b5a4d3e2c1f +name: AAD group adds in the last 7 days +description: | + This query looks for AAD group adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps. +requiredDataConnectors: + - connectorId: MicrosoftThreatProtection + dataTypes: + - CloudAppEvents +tactics: +- Privilege Escalation +relevantTechniques: +- T1548 +query: > + let LookBack = 7d; + CloudAppEvents + | where ActionType in ("Add member to group.") and AccountType == "Regular" and Timestamp > ago(LookBack) + | extend SecondElement = RawEventData.ModifiedProperties[1] + | extend UserAddedId = RawEventData.ObjectId + | extend GroupName = SecondElement.NewValue + | project Timestamp, ActionType,UserAddedId,PerformedBy = AccountDisplayName,GroupName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: DisplayName + columnName: UserAddedId + - identifier: DisplayName + columnName: PerformedBy +version: 1.0.0 \ No newline at end of file diff --git a/Hunting Queries/Microsoft 365 Defender/Cloud Apps/aad-role-adds.yaml b/Hunting Queries/Microsoft 365 Defender/Cloud Apps/aad-role-adds.yaml new file mode 100644 index 00000000000..f94fc0c9620 --- /dev/null +++ b/Hunting Queries/Microsoft 365 Defender/Cloud Apps/aad-role-adds.yaml @@ -0,0 +1,34 @@ +id: d7f6e5c4-b3a2-4e9f-8d7c-6a5b4c3d2e1f +name: AAD role adds in the last 7 days +description: | + This query looks for AAD role adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps. +requiredDataConnectors: +- connectorId: MicrosoftThreatProtection + dataTypes: + - CloudAppEvents +tactics: +- Privilege Escalation +relevantTechniques: +- T1548 +query: > + let LookBack = 7d; + CloudAppEvents + | where ActionType in ("Add member to role.") and Timestamp > ago(LookBack) + | extend FirstElement = ActivityObjects[0], SecondElement = ActivityObjects[1], ThirdElement = ActivityObjects[2] + | extend Type = FirstElement.ServiceObjectType + | extend RoleName = FirstElement.Name + | extend UserAddedName = SecondElement.Name + | extend UserAddedObjectId = SecondElement.Id + | project Timestamp,Type,ActionType,RoleName,UserAddedName,UserAddedObjectId,PerformedByObjectId = AccountId,PerformedByDisplayName +entityMappings: + - entityType: Account + fieldMappings: + - identifier: DisplayName + columnName: UserAddedName + - identifier: ObjectGuid + columnName: UserAddedObjectId + - identifier: ObjectGuid + columnName: PerformedByObjectId + - identifier: DisplayName + columnName: PerformedByDisplayName +version: 1.0.0 diff --git a/Hunting Queries/Microsoft 365 Defender/Cloud Apps/mass-downloads.yaml b/Hunting Queries/Microsoft 365 Defender/Cloud Apps/mass-downloads.yaml new file mode 100644 index 00000000000..c550b50ab10 --- /dev/null +++ b/Hunting Queries/Microsoft 365 Defender/Cloud Apps/mass-downloads.yaml @@ -0,0 +1,29 @@ +id: a1b2c3d4-e5f6-4g7h-8i9j-k0l1m2n3o4p5 +name: Mass Downloads in the last 7 days +description: | + This query looks for mass downloads identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps. +requiredDataConnectors: +- connectorId: MicrosoftThreatProtection + dataTypes: + - CloudAppEvents +tactics: +- Exfiltration +relevantTechniques: +- T1020 +query: > + let lookback = 7d; //set the period to query + let threshold = 50; //set the threshold for number of downloads + let downloadTimeframe = 5m; //set the bin timeframe to group the events + CloudAppEvents + | where ActionType == "FileDownloaded" and Timestamp > ago(lookback) // Filter to only "Download" actions + | summarize DownloadCount=count() by AccountDisplayName, AccountObjectId, bin(Timestamp,downloadTimeframe) //bin the results into a timeframe by the account + | where DownloadCount > threshold //filter the records that don't meet the threshold + | project AccountDisplayName,AccountObjectId,DownloadCount +entityMappings: + - entityType: Account + fieldMappings: + - identifier: ObjectGuid + columnName: AccountObjectId + - identifier: DisplayName + columnName: AccountDisplayName +version: 1.0.0 \ No newline at end of file diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_1.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_1.png new file mode 100644 index 00000000000..8f4f5ad84d8 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_1.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_2.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_2.png new file mode 100644 index 00000000000..ca166d74305 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_2.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_3.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_3.png new file mode 100644 index 00000000000..364015b304c Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_3.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_4.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_4.png new file mode 100644 index 00000000000..e8f40f50363 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Add_Contributor_Role_4.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_1.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_1.png new file mode 100644 index 00000000000..f8a912d1429 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_1.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_10.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_10.png new file mode 100644 index 00000000000..8a726a8a943 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_10.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_2.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_2.png new file mode 100644 index 00000000000..ac47b714b18 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_2.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_3.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_3.png new file mode 100644 index 00000000000..959d4c324bf Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_3.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_4.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_4.png new file mode 100644 index 00000000000..f221037151a Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_4.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_5.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_5.png new file mode 100644 index 00000000000..fc336b6ef01 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_5.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_6.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_6.png new file mode 100644 index 00000000000..fd45b35f7d4 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_6.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_7.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_7.png new file mode 100644 index 00000000000..ae780157f12 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_7.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_8.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_8.png new file mode 100644 index 00000000000..96094c81221 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_8.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_9.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_9.png new file mode 100644 index 00000000000..906d9bc4535 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_App_Registration_9.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Demo_1.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Demo_1.png new file mode 100644 index 00000000000..bfb6fe54d0c Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Demo_1.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Demo_2.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Demo_2.png new file mode 100644 index 00000000000..023bd203c9b Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Demo_2.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Deploy_1.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Deploy_1.png new file mode 100644 index 00000000000..013a82f4d3f Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Deploy_1.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Deploy_2.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Deploy_2.png new file mode 100644 index 00000000000..0081c651daf Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Deploy_2.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Deploy_3.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Deploy_3.png new file mode 100644 index 00000000000..1aaf9377d1c Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Deploy_3.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_1.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_1.png new file mode 100644 index 00000000000..c45145b2008 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_1.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_2.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_2.png new file mode 100644 index 00000000000..53ac702f981 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_2.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_3.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_3.png new file mode 100644 index 00000000000..cc932510e46 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_3.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_Access_1.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_Access_1.png new file mode 100644 index 00000000000..c5d0074fa8d Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_Access_1.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_Access_2.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_Access_2.png new file mode 100644 index 00000000000..ff4a315d573 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_Access_2.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_Access_3.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_Access_3.png new file mode 100644 index 00000000000..2beb3057bda Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_Access_3.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_Access_4.png b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_Access_4.png new file mode 100644 index 00000000000..5e4322a1bb8 Binary files /dev/null and b/Playbooks/AS-Block-Hash-in-Defender/Images/BlockHashInDefender_Key_Vault_Access_4.png differ diff --git a/Playbooks/AS-Block-Hash-in-Defender/README.md b/Playbooks/AS-Block-Hash-in-Defender/README.md new file mode 100644 index 00000000000..8fff73e0d1d --- /dev/null +++ b/Playbooks/AS-Block-Hash-in-Defender/README.md @@ -0,0 +1,176 @@ +# AS-Block-Hash-in-Defender + +Author: Accelerynt + +For any technical questions, please contact info@accelerynt.com + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Block-Hash-in-Defender%2Fazuredeploy.json) +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Block-Hash-in-Defender%2Fazuredeploy.json) + +This playbook is intended to be run from a Microsoft Sentinel Incident. It will take the File Hashes from the Incident entities list and block them in Defender. A comment noting the affected File Hashes will be added to the Incident. + +![BlockHashInDefender_Demo_1](Images/BlockHashInDefender_Demo_1.png) + +![BlockHashInDefender_Demo_2](Images/BlockHashInDefender_Demo_2.png) + + +# +### Requirements + +The following items are required under the template settings during deployment: + +* A Microsoft Azure Active Directory [app registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Block-Hash-in-Defender#create-an-app-registration) with admin consent granted for "**TI.ReadWrite**" in the "**WindowsDefenderATP**" API +* An [Azure key vault secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Block-Hash-in-Defender#create-an-azure-key-vault-secret) containing your app registration client secret + + +# +### Setup + +#### Create an App Registration + +Navigate to the Microsoft Azure Active Directory app registration page: https://portal.azure.com/#view/Microsoft_AAD_RegisteredApps/ApplicationsListBlade + +Click "**New registration**". + +![BlockHashInDefender_App_Registration_1](Images/BlockHashInDefender_App_Registration_1.png) + +Enter "**AS-Block-Hash-in-Defender**" for the name, all else can be left as is. Click "**Register**" + +![BlockHashInDefender_App_Registration_2](Images/BlockHashInDefender_App_Registration_2.png) + +Once the app registration is created, you will be redirected to the "**Overview**" page. Under the "**Essentials**" section, take note of the "**Application (client) ID**", as this will be needed for deployment. + +![BlockHashInDefender_App_Registration_3](Images/BlockHashInDefender_App_Registration_3.png) + +Next, you will need to add permissions for the app registration to call the [Microsoft Defender submit indicator API endpoint](https://learn.microsoft.com/en-us/microsoft-365/security/defender-endpoint/post-ti-indicator?view=o365-worldwide#permissions). From the left menu blade, click "**API permissions**" under the "**Manage**" section. Then, click "**Add a permission**". + +![BlockHashInDefender_App_Registration_4](Images/BlockHashInDefender_App_Registration_4.png) + +From the "**Select an API**" pane, click the "**APIs my organization uses**" tab, then paste "**WindowsDefenderATP**" in the search bar. Click the option matching the search. + +![BlockHashInDefender_App_Registration_5](Images/BlockHashInDefender_App_Registration_5.png) + +Click "**Application permissions**", then type "**TI.ReadAll**" into the search bar and select the result. Click "**Add permissions**". + +![BlockHashInDefender_App_Registration_6](Images/BlockHashInDefender_App_Registration_6.png) + +Admin consent will be needed before your app registration can use the assigned permission. Click "**Grant admin consent for (name)**". + +![BlockHashInDefender_App_Registration_7](Images/BlockHashInDefender_App_Registration_7.png) + +Lastly, a client secret will need to be generated for the app registration. From the left menu blade, click "**Certificates & secrets**" under the "**Manage**" section. Then, click "**New client secret**". + +![BlockHashInDefender_App_Registration_8](Images/BlockHashInDefender_App_Registration_8.png) + +Enter a description and select the desired expiration date, then click "**Add**". + +![BlockHashInDefender_App_Registration_9](Images/BlockHashInDefender_App_Registration_9.png) + +Copy the value of the secret that is generated, as this will be needed for [Create an Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Block-Hash-in-Defender#create-an-azure-key-vault-secret). + +![BlockHashInDefender_App_Registration_10](Images/BlockHashInDefender_App_Registration_10.png) + + +#### Create an Azure Key Vault Secret + +Navigate to the Azure key vaults page: https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.KeyVault%2Fvaults + +Navigate to an existing key vault or create a new one. From the key vault overview page, click the "**Secrets**" menu option, found under the "**Settings**" section. Click "**Generate/Import**". + +![BlockHashInDefender_Key_Vault_1](Images/BlockHashInDefender_Key_Vault_1.png) + +Choose a name for the secret, such as "**AS-Block-Hash-in-Defender-AR-Client-Secret**", and enter the client secret copied in the [previous section](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Block-Hash-in-Defender#create-an-app-registration). All other settings can be left as is. Click "**Create**". + +![BlockHashInDefender_Key_Vault_2](Images/BlockHashInDefender_Key_Vault_2.png) + +Once your secret has been added to the vault, navigate to the "**Access policies**" menu option. Leave this page open, as you will need to return to it once the playbook has been deployed. See [Granting Access to Azure Key Vault](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Block-Hash-in-Defender#granting-access-to-azure-key-vault). + +![BlockHashInDefender_Key_Vault_3](Images/BlockHashInDefender_Key_Vault_3.png) + + +# +### Deployment + +To configure and deploy this playbook: + +Open your browser and ensure you are logged into your Microsoft Sentinel workspace. In a separate tab, open the link to our playbook on the Accelerynt Security GitHub repository: + +https://github.com/Accelerynt-Security/AS-Block-Hash-in-Defender + +[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Block-Hash-in-Defender%2Fazuredeploy.json) +[![Deploy to Azure Gov](https://aka.ms/deploytoazuregovbutton)](https://portal.azure.us/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FPlaybooks%2FAS-Block-Hash-in-Defender%2Fazuredeploy.json) + +Click the "**Deploy to Azure**" button at the bottom and it will bring you to the custom deployment template. + +In the **Project Details** section: + +* Select the "**Subscription**" and "**Resource Group**" from the dropdown boxes you would like the playbook deployed to. + +In the **Instance Details** section: + +* **Playbook Name**: This can be left as "**AS-Block-Hash-in-Defender**" or you may change it. + +* **Client ID**: Enter the Application (client) ID of your app registration referenced in [Create an App Registration](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Block-Hash-in-Defender#create-an-app-registration). + +* **Key Vault Name**: Enter the name of the key vault referenced in [Create an Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Block-Hash-in-Defender#create-an-azure-key-vault-secret). + +* **Key Vault Secret Name**: Enter the name of the key vault Secret created in [Create an Azure Key Vault Secret](https://github.com/Azure/Azure-Sentinel/tree/master/Playbooks/AS-Block-Hash-in-Defender#create-an-azure-key-vault-secret). + +Towards the bottom, click on "**Review + create**". + +![BlockHashInDefender_Deploy_1](Images/BlockHashInDefender_Deploy_1.png) + +Once the resources have validated, click on "**Create**". + +![BlockHashInDefender_Deploy_2](Images/BlockHashInDefender_Deploy_2.png) + +The resources should take around a minute to deploy. Once the deployment is complete, you can expand the "**Deployment details**" section to view them. +Click the one corresponding to the Logic App. + +![BlockHashInDefender_Deploy_3](Images/BlockHashInDefender_Deploy_3.png) + + +# +### Granting Access to Azure Key Vault + +Before the Logic App can run successfully, the key vault connection created during deployment must be granted access to the key vault storing your app registration client secret. + +From the key vault "**Access policies**" page, click "**Create**". + +![BlockHashInDefender_Key_Vault_Access_1](Images/BlockHashInDefender_Key_Vault_Access_1.png) + +Select the "**Get**" checkbox under "**Secret permissions**", then click "**Next**". + +![BlockHashInDefender_Key_Vault_Access_2](Images/BlockHashInDefender_Key_Vault_Access_2.png) + +Paste "**AS-Block-Hash-in-Defender**" into the principal search box and click the option that appears. Click "**Next**" towards the bottom of the page. + +![BlockHashInDefender_Key_Vault_Access_3](Images/BlockHashInDefender_Key_Vault_Access_3.png) + +Navigate to the "**Review + create**" section and click "**Create**". + +![BlockHashInDefender_Key_Vault_Access_4](Images/BlockHashInDefender_Key_Vault_Access_4.png) + + +# +### Microsoft Sentinel Contributor Role + +After deployment, you will need to give the system assigned managed identity the "**Microsoft Sentinel Contributor**" role. This will enable the Logic App to add comments to Incidents. Navigate to the Log Analytics Workspaces page and select the same workspace the playbook is located in: + +https://portal.azure.com/#view/HubsExtension/BrowseResource/resourceType/Microsoft.OperationalInsights%2Fworkspaces + +Select the "**Access control (IAM)**" option from the menu blade, then click "**Add role assignment**". + +![BlockHashInDefender_Add_Contributor_Role_1](Images/BlockHashInDefender_Add_Contributor_Role_1.png) + +Select the "**Microsoft Sentinel Contributor**" role, then click "**Next**". + +![BlockHashInDefender_Add_Contributor_Role_2](Images/BlockHashInDefender_Add_Contributor_Role_2.png) + +Select the "**Managed identity**" option, then click "**Select Members**". Under the subscription the Logic App is located, set the value of "**Managed identity**" to "**Logic app**". Next, enter "**AS-Sign-Out-Google-User**", or the alternative playbook name used during deployment, in the field labeled "**Select**". Select the playbook, then click "**Select**". + +![BlockHashInDefender_Add_Contributor_Role_3](Images/BlockHashInDefender_Add_Contributor_Role_3.png) + +Continue on to the "**Review + assign**" tab and click "**Review + assign**". + +![BlockHashInDefender_Add_Contributor_Role_4](Images/BlockHashInDefender_Add_Contributor_Role_4.png) diff --git a/Playbooks/AS-Block-Hash-in-Defender/azuredeploy.json b/Playbooks/AS-Block-Hash-in-Defender/azuredeploy.json new file mode 100644 index 00000000000..cbdbe4dedda --- /dev/null +++ b/Playbooks/AS-Block-Hash-in-Defender/azuredeploy.json @@ -0,0 +1,346 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "metadata": { + "title": "AS-Block-Hash-in-Defender", + "description": "This playbook is intended to be run from a Microsoft Sentinel Incident. It will take the File Hashes from the Incident entities list and block them in Defender. A comment noting the affected File Hashes will be added to the Incident.", + "prerequisites": "1. An App Registration with TI.ReadWrite permission granted on WindowsDefenderATP. 2. A client secret for the App Registration must be generated. 3. An Azure Key Vault Secret to hold the client secret. Support for the set up and configuration of each of these items can be found here: https://github.com/Accelerynt-Security/AS-Block-Hash-in-Defender", + "postDeployment": ["Access to the Azure Key Vault must be granted to the playbook","The Microsoft Sentinel Contributor role must be applied to the playbook"], + "lastUpdateTime": "2023-08-28T8:21:03Z", + "entities": ["FileHash"], + "tags": ["Microsoft Sentinel", "Incident", "Defender", "Block File Hash"], + "support": { + "tier": "partner" + }, + "author": { + "name": "Accelerynt" + } + }, + "parameters": { + "PlaybookName": { + "defaultValue": "AS-Block-Hash-in-Defender", + "type": "string", + "metadata": { + "description": "Name of the Logic App resource to be created" + } + }, + "ClientID": { + "type": "string", + "metadata" : { + "description" : "Enter the Application (client) ID of your App Registration" + } + }, + "KeyVaultName": { + "type": "string", + "metadata" : { + "description" : "Name of the Key Vault that stores the App Registration client secret" + } + }, + "KeyVaultSecretName": { + "type": "string", + "metadata": { + "description": "Name of Key Vault Secret that contains the App Registration client secret" + } + } + }, + "variables": { + "azuresentinel": "[concat('azuresentinel-', parameters('PlaybookName'))]", + "keyvault": "[concat('keyvault-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('azuresentinel')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[parameters('PlaybookName')]", + "customParameterValues": {}, + "parameterValueType": "Alternative", + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('keyvault')]", + "location": "[resourceGroup().location]", + "kind": "V1", + "properties": { + "displayName": "[parameters('PlaybookName')]", + "parameterValueType": "Alternative", + "alternativeParameterValues": { + "vaultName": "[parameters('KeyVaultName')]" + }, + "customParameterValues": { + }, + "api": { + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]" + } + } + }, + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[resourceGroup().location]", + "tags": { + "LogicAppsCategory": "security" + }, + "identity": { + "type": "SystemAssigned" + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('azuresentinel'))]", + "[resourceId('Microsoft.Web/connections', variables('keyvault'))]" + ], + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_incident": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/incident-creation" + } + } + }, + "actions": { + "Condition_-_One_or_more_File_Hashes_blocked": { + "actions": { + "Add_comment_to_incident_(V3)": { + "inputs": { + "body": { + "incidentArmId": "@triggerBody()?['object']?['id']", + "message": "

Blocked the following file hashes in Defender:
\n@{variables('Blocked File Hashes')}
\n

" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/Incidents/Comment" + }, + "runAfter": {}, + "type": "ApiConnection" + } + }, + "expression": { + "and": [ + { + "greater": [ + "@length(variables('Blocked File Hashes'))", + 0 + ] + } + ] + }, + "runAfter": { + "For_each": [ + "Succeeded" + ] + }, + "type": "If" + }, + "Entities_-_Get_FileHashes": { + "inputs": { + "body": "@triggerBody()?['object']?['properties']?['relatedEntities']", + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "post", + "path": "/entities/filehash" + }, + "runAfter": {}, + "type": "ApiConnection" + }, + "For_each": { + "actions": { + "Condition_-_File_Hash_Successfully_Blocked": { + "actions": { + "Append_to_string_variable": { + "inputs": { + "name": "Blocked File Hashes", + "value": "@items('For_each')?['hashValue']" + }, + "runAfter": {}, + "type": "AppendToStringVariable" + } + }, + "expression": { + "and": [ + { + "equals": [ + "@outputs('HTTP_-_Add_Defender_IOC')['statusCode']", + 200 + ] + } + ] + }, + "runAfter": { + "HTTP_-_Add_Defender_IOC": [ + "Succeeded" + ] + }, + "type": "If" + }, + "HTTP_-_Add_Defender_IOC": { + "inputs": { + "body": { + "action": "Block", + "description": "test", + "indicatorType": "FileSha256", + "indicatorValue": "@items('For_each')?['hashValue']", + "title": "Test-Playbook" + }, + "headers": { + "Authorization": "Bearer @{body('Parse_JSON')?['access_token']}" + }, + "method": "POST", + "uri": "https://api.securitycenter.microsoft.com/api/indicators" + }, + "runAfter": {}, + "type": "Http" + } + }, + "foreach": "@body('Entities_-_Get_FileHashes')?['Filehashes']", + "runAfter": { + "Initialize_variable_-_Blocked_File_Hashes": [ + "Succeeded" + ] + }, + "type": "Foreach" + }, + "Get_Client_Secret": { + "runAfter": { + "Entities_-_Get_FileHashes": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['keyvault']['connectionId']" + } + }, + "method": "get", + "path": "[concat('/secrets/@{encodeURIComponent(''', parameters('KeyVaultSecretName'), ''')}/value')]" + } + }, + "HTTP_-_Authenticate": { + "runAfter": { + "Get_Client_Secret": [ + "Succeeded" + ] + }, + "type": "Http", + "inputs": { + "body": "[concat('grant_type=client_credentials&client_id=', parameters('ClientID'),'&client_secret=@{body(''Get_Client_Secret'')?[''value'']}&scope=https://securitycenter.onmicrosoft.com/windowsatpservice/.default')]", + "headers": { + "Content-Type": "application/x-www-form-urlencoded", + "Host": "login.microsoftonline.com" + }, + "method": "POST", + "uri": "[concat('https://login.microsoftonline.com/', subscription().tenantId, '/oauth2/v2.0/token')]" + } + }, + "Initialize_variable_-_Blocked_File_Hashes": { + "inputs": { + "variables": [ + { + "name": "Blocked File Hashes", + "type": "string" + } + ] + }, + "runAfter": { + "Parse_JSON": [ + "Succeeded" + ] + }, + "type": "InitializeVariable" + }, + "Parse_JSON": { + "inputs": { + "content": "@body('HTTP_-_Authenticate')", + "schema": { + "properties": { + "access_token": { + "type": "string" + }, + "expires_in": { + "type": "integer" + }, + "ext_expires_in": { + "type": "integer" + }, + "token_type": { + "type": "string" + } + }, + "type": "object" + } + }, + "runAfter": { + "HTTP_-_Authenticate": [ + "Succeeded" + ] + }, + "type": "ParseJson" + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('azuresentinel'))]", + "connectionName": "[variables('azuresentinel')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/azuresentinel')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + }, + "keyvault": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('keyvault'))]", + "connectionName": "[variables('keyvault')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId,'/providers/Microsoft.Web/locations/', resourceGroup().location, '/managedApis/keyvault')]", + "connectionProperties": { + "authentication": { + "type": "ManagedServiceIdentity" + } + } + } + } + } + } + } + } + ] +} diff --git a/Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopNetworks.JSON b/Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopNetworks.JSON index eca806d508b..c6e18aeff67 100644 --- a/Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopNetworks.JSON +++ b/Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopNetworks.JSON @@ -1,6 +1,6 @@ { "id": "ExtraHopNetworks", - "title": "ExtraHop Reveal(x)", + "title": "[Deprecated] ExtraHop Reveal(x) via Legacy Agent", "publisher": "ExtraHop Networks", "logo": "ExtraHopLogo.svg", "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", diff --git a/Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopReveal(x)AMA.JSON b/Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopReveal(x)AMA.JSON new file mode 100644 index 00000000000..1518e48b2ad --- /dev/null +++ b/Solutions/ExtraHop Reveal(x)/Data Connectors/template_ExtraHopReveal(x)AMA.JSON @@ -0,0 +1,136 @@ +{ + "id": "ExtraHopNetworksAma", + "title": "[Recommended] ExtraHop Reveal(x) via AMA", + "publisher": "ExtraHop Networks", + "logo": "ExtraHopLogo.svg", + "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExtraHop Networks", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | sort by TimeGenerated" + }, + { + "description": "All detections, de-duplicated", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | extend categories = iif(DeviceCustomString2 != \"\", split(DeviceCustomString2, \",\"),dynamic(null))\n     | extend StartTime = extract(\"start=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | extend EndTime = extract(\"end=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | project      \n     DeviceEventClassID=\"ExtraHop Detection\",\n     Title=Activity,\n     Description=Message,\n     riskScore=DeviceCustomNumber2,     \n     SourceIP,\n     DestinationIP,\n     detectionID=tostring(DeviceCustomNumber1),\n     updateTime=todatetime(ReceiptTime),\n     StartTime,\n     EndTime,\n     detectionURI=DeviceCustomString1,\n     categories,\n     Computer\n     | summarize arg_max(updateTime, *) by detectionID\n     | sort by detectionID desc" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (‘ExtraHop’)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "title": "", + "description": "", + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine", + "instructions": [ + ] + }, + { + "title": "Step B. Forward ExtraHop Networks logs to Syslog agent", + "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.\n2. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://aka.ms/asi-syslog-extrahop-forwarding) on your Reveal(x) system. The SIEM Connector is required for this integration.\n3. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**\n4. Update the trigger with the ODS syslog targets you created \n5. The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel.", + "instructions": [ + ] + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + + { + "title": "2. Secure your machine ", + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)" + } + ], + "metadata": { + "id": "3c3af19d-b178-44cd-a130-c48b366758c4", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "community" + }, + "author": { + "name": "ExtraHop Networks" + }, + "support": { + "name": "ExtraHop Networks", + "link": "https://www.extrahop.com/support/", + "tier": "developer" + } + } +} \ No newline at end of file diff --git a/Solutions/ExtraHop Reveal(x)/Data/Solution_ExtraHop Reveal(x).json b/Solutions/ExtraHop Reveal(x)/Data/Solution_ExtraHop Reveal(x).json index dc3ac8c69b8..81a5f253e77 100644 --- a/Solutions/ExtraHop Reveal(x)/Data/Solution_ExtraHop Reveal(x).json +++ b/Solutions/ExtraHop Reveal(x)/Data/Solution_ExtraHop Reveal(x).json @@ -2,16 +2,17 @@ "Name": "ExtraHop Reveal(x)", "Author": "ExtraHop", "Logo": "", - "Description": "The [ExtraHop Reveal(x)](https://www.extrahop.com/products/security/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities./n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:/na. [Agent-based log collection (CEF over Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)", + "Description": "The [ExtraHop Reveal(x)](https://www.extrahop.com/products/security/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.\n\r\n1. **ExtraHop Reveal(x) via AMA** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **ExtraHop Reveal(x) via Legacy Agent** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", "Data Connectors": [ - "Data Connectors/template_ExtraHopNetworks.json" + "Data Connectors/template_ExtraHopNetworks.json", + "Data Connectors/template_ExtraHopReveal(x)AMA.json" ], "Workbooks": [ "Workbooks/ExtraHopDetectionSummary.json" ], "Metadata": "SolutionMetadata.json", "BasePath": "C:\\Sentinel-Repos\\19.05.22\\Azure-Sentinel\\Solutions\\ExtraHop Reveal(x)", - "Version": "2.0.1", + "Version": "3.0.0", "TemplateSpec": true, "Is1PConnector": false } \ No newline at end of file diff --git a/Solutions/ExtraHop Reveal(x)/Data/system_generated_metadata.json b/Solutions/ExtraHop Reveal(x)/Data/system_generated_metadata.json new file mode 100644 index 00000000000..12725d3ae24 --- /dev/null +++ b/Solutions/ExtraHop Reveal(x)/Data/system_generated_metadata.json @@ -0,0 +1,30 @@ +{ + "Name": "ExtraHop Reveal(x)", + "Author": "ExtraHop", + "Logo": "", + "Description": "The [ExtraHop Reveal(x)](https://www.extrahop.com/products/security/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.\n\r\n1. **ExtraHop Reveal(x) via AMA** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **ExtraHop Reveal(x) via Legacy Agent** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).", + "Metadata": "SolutionMetadata.json", + "BasePath": "C:\\Sentinel-Repos\\19.05.22\\Azure-Sentinel\\Solutions\\ExtraHop Reveal(x)", + "Version": "3.0.0", + "TemplateSpec": true, + "Is1PConnector": false, + "publisherId": "extrahop", + "offerId": "extrahop_revealx_mss", + "providers": [ + "ExtraHop" + ], + "categories": { + "domains": [ + "Security - Threat Protection", + "Security - Cloud Security" + ] + }, + "firstPublishDate": "2022-05-19", + "support": { + "name": "ExtraHop", + "tier": "partner", + "link": "https://www.extrahop.com/support/" + }, + "Data Connectors": "[\n \"Data Connectors/template_ExtraHopNetworks.json\",\n \"Data Connectors/template_ExtraHopReveal(x)AMA.json\"\n]", + "Workbooks": "[\n \"Workbooks/ExtraHopDetectionSummary.json\"\n]" +} diff --git a/Solutions/ExtraHop Reveal(x)/Package/3.0.0.zip b/Solutions/ExtraHop Reveal(x)/Package/3.0.0.zip new file mode 100644 index 00000000000..34fe4d18616 Binary files /dev/null and b/Solutions/ExtraHop Reveal(x)/Package/3.0.0.zip differ diff --git a/Solutions/ExtraHop Reveal(x)/Package/createUiDefinition.json b/Solutions/ExtraHop Reveal(x)/Package/createUiDefinition.json index 24002218bfa..d3ec5116407 100644 --- a/Solutions/ExtraHop Reveal(x)/Package/createUiDefinition.json +++ b/Solutions/ExtraHop Reveal(x)/Package/createUiDefinition.json @@ -6,7 +6,7 @@ "config": { "isWizard": false, "basics": { - "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ExtraHop Reveal(x)](https://www.extrahop.com/products/security/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.\r\n \r\n **Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs: \r\n \r\n a. [Agent-based log collection (CEF over Syslog) ](https://docs.microsoft.com/azure/sentinel/connect-common-event-format)\n\n**Data Connectors:** 1, **Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", + "description": "\n\n**Note:** _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe [ExtraHop Reveal(x)](https://www.extrahop.com/products/security/) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.\n\r\n1. **ExtraHop Reveal(x) via AMA** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent [here](https://learn.microsoft.com/azure/sentinel/connect-cef-ama). **Microsoft recommends using this Data Connector**.\n\r\n2. **ExtraHop Reveal(x) via Legacy Agent** - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.\n\n**NOTE:** Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by **Aug 31, 2024,** and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost [more details](https://learn.microsoft.com/en-us/azure/sentinel/ama-migrate).\n\n**Workbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)", "subscription": { "resourceProviders": [ "Microsoft.OperationsManagement/solutions", @@ -51,30 +51,6 @@ } ], "steps": [ - { - "name": "dataconnectors", - "label": "Data Connectors", - "bladeTitle": "Data Connectors", - "elements": [ - { - "name": "dataconnectors1-text", - "type": "Microsoft.Common.TextBlock", - "options": { - "text": "This solution installs the data connector for ingesting ExtraHop Reveal Events in the CEF format into Microsoft Sentinel. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." - } - }, - { - "name": "dataconnectors-link2", - "type": "Microsoft.Common.TextBlock", - "options": { - "link": { - "label": "Learn more about connecting data sources", - "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources" - } - } - } - ] - }, { "name": "workbooks", "label": "Workbooks", @@ -100,6 +76,20 @@ "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data" } } + }, + { + "name": "workbook1", + "type": "Microsoft.Common.Section", + "label": "ExtraHop", + "elements": [ + { + "name": "workbook1-text", + "type": "Microsoft.Common.TextBlock", + "options": { + "text": "Gain insights into ExtraHop Reveal(x) detections by analyzing traffic and activities.\nThis workbook provides an overview of security detections in your organization's network, including high-risk detections and top participants." + } + } + ] } ] } diff --git a/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json b/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json index 147e5af3af6..5a4d1123212 100644 --- a/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json +++ b/Solutions/ExtraHop Reveal(x)/Package/mainTemplate.json @@ -38,52 +38,48 @@ } }, "variables": { + "_solutionName": "ExtraHop Reveal(x)", + "_solutionVersion": "3.0.0", "solutionId": "extrahop.extrahop_revealx_mss", "_solutionId": "[variables('solutionId')]", - "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "uiConfigId1": "ExtraHopNetworks", "_uiConfigId1": "[variables('uiConfigId1')]", "dataConnectorContentId1": "ExtraHopNetworks", "_dataConnectorContentId1": "[variables('dataConnectorContentId1')]", "dataConnectorId1": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", "_dataConnectorId1": "[variables('dataConnectorId1')]", - "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1')))]", + "dataConnectorTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId1'))))]", "dataConnectorVersion1": "1.0.0", + "_dataConnectorcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId1'),'-', variables('dataConnectorVersion1'))))]", + "uiConfigId2": "ExtraHopNetworksAma", + "_uiConfigId2": "[variables('uiConfigId2')]", + "dataConnectorContentId2": "ExtraHopNetworksAma", + "_dataConnectorContentId2": "[variables('dataConnectorContentId2')]", + "dataConnectorId2": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "_dataConnectorId2": "[variables('dataConnectorId2')]", + "dataConnectorTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-dc-',uniquestring(variables('_dataConnectorContentId2'))))]", + "dataConnectorVersion2": "1.0.0", + "_dataConnectorcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','dc','-', uniqueString(concat(variables('_solutionId'),'-','DataConnector','-',variables('_dataConnectorContentId2'),'-', variables('dataConnectorVersion2'))))]", "workbookVersion1": "1.0.0", "workbookContentId1": "ExtraHopDetectionSummaryWorkbook", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", - "workbookTemplateSpecName1": "[concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1')))]", - "_workbookContentId1": "[variables('workbookContentId1')]" + "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", + "_workbookContentId1": "[variables('workbookContentId1')]", + "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", + "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", + "_solutioncontentProductId": "[concat(take(variables('_solutionId'),50),'-','sl','-', uniqueString(concat(variables('_solutionId'),'-','Solution','-',variables('_solutionId'),'-', variables('_solutionVersion'))))]" }, "resources": [ { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", "name": "[variables('dataConnectorTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, - "properties": { - "description": "ExtraHop Reveal(x) data connector with template", - "displayName": "ExtraHop Reveal(x) template" - } - }, - { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('dataConnectorTemplateSpecName1'),'/',variables('dataConnectorVersion1'))]", - "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "DataConnector" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('dataConnectorTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExtraHop Reveal(x) data connector with template version 2.0.1", + "description": "ExtraHop Reveal(x) data connector with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -99,7 +95,7 @@ "properties": { "connectorUiConfig": { "id": "[variables('_uiConfigId1')]", - "title": "ExtraHop Reveal(x)", + "title": "[Deprecated] ExtraHop Reveal(x) via Legacy Agent", "publisher": "ExtraHop Networks", "logo": "ExtraHopLogo.svg", "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", @@ -242,7 +238,7 @@ }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "properties": { "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId1'))]", @@ -265,12 +261,23 @@ } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId1')]", + "contentKind": "DataConnector", + "displayName": "[Deprecated] ExtraHop Reveal(x) via Legacy Agent", + "contentProductId": "[variables('_dataConnectorcontentProductId1')]", + "id": "[variables('_dataConnectorcontentProductId1')]", + "version": "[variables('dataConnectorVersion1')]" } }, { "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "apiVersion": "2023-04-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId1'),'/'))))]", "dependsOn": [ "[variables('_dataConnectorId1')]" @@ -304,7 +311,7 @@ "kind": "GenericUI", "properties": { "connectorUiConfig": { - "title": "ExtraHop Reveal(x)", + "title": "[Deprecated] ExtraHop Reveal(x) via Legacy Agent", "publisher": "ExtraHop Networks", "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", "graphQueries": [ @@ -430,33 +437,361 @@ } }, { - "type": "Microsoft.Resources/templateSpecs", - "apiVersion": "2021-05-01", - "name": "[variables('workbookTemplateSpecName1')]", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('dataConnectorTemplateSpecName2')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, + "dependsOn": [ + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" + ], "properties": { - "description": "ExtraHop Reveal(x) Workbook with template", - "displayName": "ExtraHop Reveal(x) workbook template" + "description": "ExtraHop Reveal(x) data connector with template version 3.0.0", + "mainTemplate": { + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "[variables('dataConnectorVersion2')]", + "parameters": {}, + "variables": {}, + "resources": [ + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "id": "[variables('_uiConfigId2')]", + "title": "[Recommended] ExtraHop Reveal(x) via AMA", + "publisher": "ExtraHop Networks", + "logo": "ExtraHopLogo.svg", + "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExtraHop Networks", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | sort by TimeGenerated" + }, + { + "description": "All detections, de-duplicated", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | extend categories = iif(DeviceCustomString2 != \"\", split(DeviceCustomString2, \",\"),dynamic(null))\n     | extend StartTime = extract(\"start=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | extend EndTime = extract(\"end=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | project      \n     DeviceEventClassID=\"ExtraHop Detection\",\n     Title=Activity,\n     Description=Message,\n     riskScore=DeviceCustomNumber2,     \n     SourceIP,\n     DestinationIP,\n     detectionID=tostring(DeviceCustomNumber1),\n     updateTime=todatetime(ReceiptTime),\n     StartTime,\n     EndTime,\n     detectionURI=DeviceCustomString1,\n     categories,\n     Computer\n     | summarize arg_max(updateTime, *) by detectionID\n     | sort by detectionID desc" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (‘ExtraHop’)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" + + }, + { + "title": "Step B. Forward ExtraHop Networks logs to Syslog agent", + "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.\n2. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://aka.ms/asi-syslog-extrahop-forwarding) on your Reveal(x) system. The SIEM Connector is required for this integration.\n3. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**\n4. Update the trigger with the ODS syslog targets you created \n5. The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel." + + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ], + "metadata": { + "id": "3c3af19d-b178-44cd-a130-c48b366758c4", + "version": "1.0.0", + "kind": "dataConnector", + "source": { + "kind": "community" + }, + "author": { + "name": "ExtraHop Networks" + }, + "support": { + "name": "ExtraHop Networks", + "link": "https://www.extrahop.com/support/", + "tier": "developer" + } + } + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "ExtraHop Reveal(x)", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "ExtraHop" + }, + "support": { + "name": "ExtraHop", + "tier": "partner", + "link": "https://www.extrahop.com/support/" + } + } + } + ] + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_dataConnectorContentId2')]", + "contentKind": "DataConnector", + "displayName": "[Recommended] ExtraHop Reveal(x) via AMA", + "contentProductId": "[variables('_dataConnectorcontentProductId2')]", + "id": "[variables('_dataConnectorcontentProductId2')]", + "version": "[variables('dataConnectorVersion2')]" } }, { - "type": "Microsoft.Resources/templateSpecs/versions", - "apiVersion": "2021-05-01", - "name": "[concat(variables('workbookTemplateSpecName1'),'/',variables('workbookVersion1'))]", + "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", + "apiVersion": "2023-04-01-preview", + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('DataConnector-', last(split(variables('_dataConnectorId2'),'/'))))]", + "dependsOn": [ + "[variables('_dataConnectorId2')]" + ], + "location": "[parameters('workspace-location')]", + "properties": { + "parentId": "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/dataConnectors', variables('_dataConnectorContentId2'))]", + "contentId": "[variables('_dataConnectorContentId2')]", + "kind": "DataConnector", + "version": "[variables('dataConnectorVersion2')]", + "source": { + "kind": "Solution", + "name": "ExtraHop Reveal(x)", + "sourceId": "[variables('_solutionId')]" + }, + "author": { + "name": "ExtraHop" + }, + "support": { + "name": "ExtraHop", + "tier": "partner", + "link": "https://www.extrahop.com/support/" + } + } + }, + { + "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',variables('_dataConnectorContentId2'))]", + "apiVersion": "2021-03-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/dataConnectors", + "location": "[parameters('workspace-location')]", + "kind": "GenericUI", + "properties": { + "connectorUiConfig": { + "title": "[Recommended] ExtraHop Reveal(x) via AMA", + "publisher": "ExtraHop Networks", + "descriptionMarkdown": "The ExtraHop Reveal(x) data connector enables you to easily connect your Reveal(x) system with Microsoft Sentinel to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.", + "graphQueries": [ + { + "metricName": "Total data received", + "legend": "ExtraHop Networks", + "baseQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)" + } + ], + "dataTypes": [ + { + "name": "CommonSecurityLog (‘ExtraHop’)", + "lastDataReceivedQuery": "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)" + } + ], + "connectivityCriterias": [ + { + "type": "IsConnectedQuery", + "value": [ + "CommonSecurityLog\n |where DeviceVendor =~ 'ExtraHop'\n |extend sent_by_ama = column_ifexists('CollectorHostName','')\n |where isnotempty(sent_by_ama)\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)" + ] + } + ], + "sampleQueries": [ + { + "description": "All logs", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | sort by TimeGenerated" + }, + { + "description": "All detections, de-duplicated", + "query": "\nCommonSecurityLog\n| where DeviceVendor == \"ExtraHop\"\n\n | extend categories = iif(DeviceCustomString2 != \"\", split(DeviceCustomString2, \",\"),dynamic(null))\n     | extend StartTime = extract(\"start=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | extend EndTime = extract(\"end=([0-9-]+T[0-9:.]+Z)\", 1, AdditionalExtensions,typeof(datetime))\n     | project      \n     DeviceEventClassID=\"ExtraHop Detection\",\n     Title=Activity,\n     Description=Message,\n     riskScore=DeviceCustomNumber2,     \n     SourceIP,\n     DestinationIP,\n     detectionID=tostring(DeviceCustomNumber1),\n     updateTime=todatetime(ReceiptTime),\n     StartTime,\n     EndTime,\n     detectionURI=DeviceCustomString1,\n     categories,\n     Computer\n     | summarize arg_max(updateTime, *) by detectionID\n     | sort by detectionID desc" + } + ], + "availability": { + "status": 1, + "isPreview": false + }, + "permissions": { + "resourceProvider": [ + { + "provider": "Microsoft.OperationalInsights/workspaces", + "permissionsDisplayText": "read and write permissions.", + "providerDisplayName": "Workspace", + "scope": "Workspace", + "requiredPermissions": { + "read": true, + "write": true, + "delete": true + } + }, + { + "provider": "Microsoft.OperationalInsights/workspaces/sharedKeys", + "permissionsDisplayText": "read permissions to shared keys for the workspace. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).", + "providerDisplayName": "Keys", + "scope": "Workspace", + "requiredPermissions": { + "action": true + } + } + ], + "customs": [ + { + "description": "To collect data from non-Azure VMs, they must have Azure Arc installed and enabled. [Learn more](https://docs.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-install?tabs=ARMAgentPowerShell,PowerShellWindows,PowerShellWindowsArc,CLIWindows,CLIWindowsArc)" + }, + { + "description": "Common Event Format (CEF) via AMA and Syslog via AMA data connectors must be installed [Learn more](https://learn.microsoft.com/azure/sentinel/connect-cef-ama#open-the-connector-page-and-create-the-dcr)" + } + ] + }, + "instructionSteps": [ + { + "instructions": [ + { + "parameters": { + "title": "1. Kindly follow the steps to configure the data connector", + "instructionSteps": [ + { + "title": "Step A. Configure the Common Event Format (CEF) via AMA data connector", + "description": "_Note:- CEF logs are collected only from Linux Agents_\n\n1. Navigate to Microsoft Sentinel workspace ---> configuration ---> Data connector blade .\n\n2. Search for 'Common Event Format (CEF) via AMA' data connector and open it.\n\n3. Check If there is no existing DCR configured to collect required facility of logs, Create a new DCR (Data Collection Rule)\n\n\t_Note:- It is recommended to install minimum 1.27 version of AMA agent [Learn more](https://learn.microsoft.com/azure/azure-monitor/agents/azure-monitor-agent-manage?tabs=azure-portal ) and ensure there is no duplicate DCR as it can cause log duplicacy_\n\n4. Run the command provided in the CEF via AMA data connector page to configure the CEF collector on the machine" + + }, + { + "title": "Step B. Forward ExtraHop Networks logs to Syslog agent", + "description": "1. Set your security solution to send Syslog messages in CEF format to the proxy machine. Make sure to send the logs to port 514 TCP on the machine IP address.\n2. Follow the directions to install the [ExtraHop Detection SIEM Connector bundle](https://aka.ms/asi-syslog-extrahop-forwarding) on your Reveal(x) system. The SIEM Connector is required for this integration.\n3. Enable the trigger for **ExtraHop Detection SIEM Connector - CEF**\n4. Update the trigger with the ODS syslog targets you created \n5. The Reveal(x) system formats syslog messages in Common Event Format (CEF) and then sends data to Microsoft Sentinel." + + }, + { + "title": "Step C. Validate connection", + "description": "Follow the instructions to validate your connectivity:\n\nOpen Log Analytics to check if the logs are received using the CommonSecurityLog schema.\n\nIt may take about 20 minutes until the connection streams data to your workspace.\n\nIf the logs are not received, run the following connectivity validation script:\n\n 1. Make sure that you have Python on your machine using the following command: python -version\n\n2. You must have elevated permissions (sudo) on your machine", + "instructions": [ + { + "parameters": { + "label": "Run the following command to validate your connectivity:", + "value": "sudo wget -O Sentinel_AMA_troubleshoot.py https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/DataConnectors/Syslog/Sentinel_AMA_troubleshoot.py&&sudo python Sentinel_AMA_troubleshoot.py --cef" + }, + "type": "CopyableLabel" + } + ] + } + ] + }, + "type": "InstructionStepsGroup" + } + ] + }, + { + "description": "Make sure to configure the machine's security according to your organization's security policy\n\n\n[Learn more >](https://aka.ms/SecureCEF)", + "title": "2. Secure your machine " + } + ], + "id": "[variables('_uiConfigId2')]" + } + } + }, + { + "type": "Microsoft.OperationalInsights/workspaces/providers/contentTemplates", + "apiVersion": "2023-04-01-preview", + "name": "[variables('workbookTemplateSpecName1')]", "location": "[parameters('workspace-location')]", - "tags": { - "hidden-sentinelWorkspaceId": "[variables('workspaceResourceId')]", - "hidden-sentinelContentType": "Workbook" - }, "dependsOn": [ - "[resourceId('Microsoft.Resources/templateSpecs', variables('workbookTemplateSpecName1'))]" + "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExtraHopDetectionSummaryWorkbook Workbook with template version 2.0.1", + "description": "ExtraHopDetectionSummaryWorkbook Workbook with template version 3.0.0", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -502,21 +837,56 @@ "name": "ExtraHop", "tier": "partner", "link": "https://www.extrahop.com/support/" + }, + "dependencies": { + "operator": "AND", + "criteria": [ + { + "contentId": "CommonSecurityLog", + "kind": "DataType" + }, + { + "contentId": "ExtraHopNetworks", + "kind": "DataConnector" + }, + { + "contentId": "ExtraHopNetworksAma", + "kind": "DataConnector" + } + ] } } } ] - } + }, + "packageKind": "Solution", + "packageVersion": "[variables('_solutionVersion')]", + "packageName": "[variables('_solutionName')]", + "packageId": "[variables('_solutionId')]", + "contentSchemaVersion": "3.0.0", + "contentId": "[variables('_workbookContentId1')]", + "contentKind": "Workbook", + "displayName": "[parameters('workbook1-name')]", + "contentProductId": "[variables('_workbookcontentProductId1')]", + "id": "[variables('_workbookcontentProductId1')]", + "version": "[variables('workbookVersion1')]" } }, { - "type": "Microsoft.OperationalInsights/workspaces/providers/metadata", - "apiVersion": "2022-01-01-preview", + "type": "Microsoft.OperationalInsights/workspaces/providers/contentPackages", + "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "2.0.1", + "version": "3.0.0", "kind": "Solution", - "contentSchemaVersion": "2.0.0", + "contentSchemaVersion": "3.0.0", + "displayName": "ExtraHop Reveal(x)", + "publisherDisplayName": "ExtraHop", + "descriptionHtml": "

Note: There may be known issues pertaining to this Solution, please refer to them before installing.

\n

The ExtraHop Reveal(x) Solution for Microsoft Sentinel enables ingestion of Common Event Format (CEF) logs into Microsoft Sentinel. This solution enables you to view dashboards, create custom alerts, and improve investigation. This integration gives you the ability to gain insight into your organization's network and improve your security operation capabilities.

\n
    \n

  1. ExtraHop Reveal(x) via AMA - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the new Azure Monitor Agent. Learn more about ingesting using the new Azure Monitor Agent here. Microsoft recommends using this Data Connector.

    \n
    2. \n

  2. ExtraHop Reveal(x) via Legacy Agent - This data connector helps in ingesting ExtraHop Reveal(x) logs into your Log Analytics Workspace using the legacy Log Analytics agent.

    \n
    3. \n
\n

NOTE: Microsoft recommends installation of ExtraHop Reveal(x) via AMA Connector. Legacy connector uses the Log Analytics agent which is about to be deprecated by Aug 31, 2024, and thus should only be installed where AMA is not supported. Using MMA and AMA on same machine can cause log duplication and extra ingestion cost more details.

\n

Data Connectors: 2, Workbooks: 1

\n

Learn more about Microsoft Sentinel | Learn more about Solutions

\n", + "contentKind": "Solution", + "contentProductId": "[variables('_solutioncontentProductId')]", + "id": "[variables('_solutioncontentProductId')]", + "icon": "", "contentId": "[variables('_solutionId')]", "parentId": "[variables('_solutionId')]", "source": { @@ -540,6 +910,11 @@ "contentId": "[variables('_dataConnectorContentId1')]", "version": "[variables('dataConnectorVersion1')]" }, + { + "kind": "DataConnector", + "contentId": "[variables('_dataConnectorContentId2')]", + "version": "[variables('dataConnectorVersion2')]" + }, { "kind": "Workbook", "contentId": "[variables('_workbookContentId1')]", diff --git a/Solutions/ExtraHop Reveal(x)/ReleaseNotes.md b/Solutions/ExtraHop Reveal(x)/ReleaseNotes.md new file mode 100644 index 00000000000..63be22aa8f5 --- /dev/null +++ b/Solutions/ExtraHop Reveal(x)/ReleaseNotes.md @@ -0,0 +1,5 @@ +| **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | +|-------------|--------------------------------|--------------------------------------------------------------------| +| 3.0.0 | 13-09-2023 | Addition of new ExtraHop Reveal(x) AMA **Data Connector** | | + + diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index 7e2ee49e899..94102a2847a 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -850,7 +850,8 @@ "CommonSecurityLog" ], "dataConnectorsDependencies": [ - "ExtraHopNetworks" + "ExtraHopNetworks", + "ExtraHopNetworksAma" ], "previewImagesFileNames": [ "ExtrahopWhite.png", diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/createSolutionV2.ps1 b/Tools/Create-Azure-Sentinel-Solution/V2/createSolutionV2.ps1 index beb5e5f22a3..eac689412f8 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/createSolutionV2.ps1 +++ b/Tools/Create-Azure-Sentinel-Solution/V2/createSolutionV2.ps1 @@ -2339,7 +2339,7 @@ foreach ($inputFile in $(Get-ChildItem $path)) { apiVersion = "2022-01-01-preview"; name = "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId$parserCounter'),'/'))))]"; dependsOn = @( - "[variables('_parserName$parserCounter')]" + "[variables('_parserId$parserCounter')]" ); properties = [PSCustomObject]@{ parentId = "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName$parserCounter'))]" diff --git a/Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1 b/Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1 index 96cb48dcfeb..ec0b458b407 100644 --- a/Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1 +++ b/Tools/Create-Azure-Sentinel-Solution/common/commonFunctions.ps1 @@ -3074,7 +3074,7 @@ function addTemplateSpecParserResource($content,$yaml,$isyaml, $contentResourceD apiVersion = $contentResourceDetails.commonResourceMetadataApiVersion; #"2022-01-01-preview"; name = "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Parser-', last(split(variables('_parserId$global:parserCounter'),'/'))))]"; dependsOn = @( - "[variables('_parserName$global:parserCounter')]" + "[variables('_parserId$global:parserCounter')]" ); properties = [PSCustomObject]@{ parentId = "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName$global:parserCounter'))]"