diff --git a/Solutions/Salem AI Cyber Analyst/Playbooks/SendAlertToSalem/azuredeploy.json b/Solutions/Salem AI Cyber Analyst/Playbooks/SendAlertToSalem/azuredeploy.json new file mode 100644 index 00000000000..4792820087f --- /dev/null +++ b/Solutions/Salem AI Cyber Analyst/Playbooks/SendAlertToSalem/azuredeploy.json @@ -0,0 +1,205 @@ +{ + "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "PlaybookName": { + "type": "string", + "metadata": { + "description": "A Globally unique name for the integration logic app" + } + }, + "SalemEventHubConnectionString": { + "type": "securestring", + "metadata": { + "description": "The Connection String from the Salem 'alerts' Event Hub" + } + }, + "location": { + "type": "string", + "defaultValue": "", + "metadata": { + "description": "Location for all resources. Leave blank to use location of resource group" + } + } + }, + "variables": { + "location": "[if(empty(parameters('location')), resourceGroup().location, parameters('location'))]", + "SalemEventHubConnectionName": "[concat('SalemEventHub-', parameters('PlaybookName'))]", + "SentinelConnectionName": "[concat('MicrosoftSentinel-', parameters('PlaybookName'))]" + }, + "resources": [ + { + "type": "Microsoft.Logic/workflows", + "apiVersion": "2017-07-01", + "name": "[parameters('PlaybookName')]", + "location": "[variables('location')]", + "properties": { + "state": "Enabled", + "definition": { + "$schema": "https://schema.management.azure.com/providers/Microsoft.Logic/schemas/2016-06-01/workflowdefinition.json#", + "contentVersion": "1.0.0.0", + "parameters": { + "$connections": { + "defaultValue": {}, + "type": "Object" + } + }, + "triggers": { + "Microsoft_Sentinel_alert": { + "type": "ApiConnectionWebhook", + "inputs": { + "body": { + "callback_url": "@{listCallbackUrl()}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "path": "/subscribe" + } + } + }, + "actions": { + "Alert_-_Get_incident": { + "runAfter": {}, + "type": "ApiConnection", + "inputs": { + "host": { + "connection": { + "name": "@parameters('$connections')['azuresentinel']['connectionId']" + } + }, + "method": "get", + "path": "/Incidents/subscriptions/@{encodeURIComponent(triggerBody()?['WorkspaceSubscriptionId'])}/resourceGroups/@{encodeURIComponent(triggerBody()?['WorkspaceResourceGroup'])}/workspaces/@{encodeURIComponent(triggerBody()?['WorkspaceId'])}/alerts/@{encodeURIComponent(triggerBody()?['SystemAlertId'])}" + } + }, + "Initialize_variable_alert_body": { + "runAfter": { + "Alert_-_Get_incident": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "alert_body", + "type": "object", + "value": { + "custom_details": "@json(coalesce(triggerBody()?['ExtendedProperties']?['Custom Details'],'{}'))", + "earliest": "@triggerBody()['ExtendedProperties']['Query Start Time UTC']", + "entities": "@triggerBody()?['Entities']", + "incident_id": "@body('Alert_-_Get_incident')?['properties']?['incidentNumber']", + "latest": "@triggerBody()['ExtendedProperties']['Query End Time UTC']" + } + } + ] + } + }, + "Initialize_variable_alert": { + "runAfter": { + "Initialize_variable_alert_body": [ + "Succeeded" + ] + }, + "type": "InitializeVariable", + "inputs": { + "variables": [ + { + "name": "alert_formatted", + "type": "object", + "value": { + "alert": "@variables('alert_body')", + "alert_name": "@triggerBody()?['AlertDisplayName']", + "id": "@triggerBody()?['SystemAlertId']", + "source": "sentinel" + } + } + ] + } + }, + "Send_event": { + "runAfter": { + "Initialize_variable_alert": [ + "Succeeded" + ] + }, + "type": "ApiConnection", + "inputs": { + "body": { + "ContentData": "@{base64(variables('alert_formatted'))}" + }, + "host": { + "connection": { + "name": "@parameters('$connections')['eventhubs']['connectionId']" + } + }, + "method": "post", + "path": "/@{encodeURIComponent('alerts')}/events" + } + } + }, + "outputs": {} + }, + "parameters": { + "$connections": { + "value": { + "azuresentinel": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('SentinelConnectionName'))]", + "connectionName": "[variables('SentinelConnectionName')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azuresentinel')]" + }, + "eventhubs": { + "connectionId": "[resourceId('Microsoft.Web/connections', variables('SalemEventHubConnectionname'))]", + "connectionName": "[variables('SalemEventHubConnectionname')]", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/eventhubs')]" + } + } + } + } + }, + "dependsOn": [ + "[resourceId('Microsoft.Web/connections', variables('SentinelConnectionName'))]", + "[resourceId('Microsoft.Web/connections', variables('SalemEventHubConnectionname'))]" + ] + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('SalemEventHubConnectionname')]", + "location": "[variables('location')]", + "kind": "V1", + "properties": { + "displayName": "Salem Event Hubs", + "api": { + "name": "[variables('SalemEventHubConnectionname')]", + "displayName": "Salem Event Hubs", + "description": "Connect to The Salem Event Hub to send alerts.", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/eventhubs')]", + "type": "Microsoft.Web/locations/managedApis" + }, + "parameterValues": { + "connectionString": "[parameters('SalemEventHubConnectionString')]" + } + } + }, + { + "type": "Microsoft.Web/connections", + "apiVersion": "2016-06-01", + "name": "[variables('SentinelConnectionName')]", + "location": "[variables('location')]", + "kind": "V1", + "properties": { + "displayName": "Microsoft Sentinel", + "api": { + "name": "[variables('SentinelConnectionName')]", + "displayName": "Microsoft Sentinel", + "description": "Cloud-native SIEM with a built-in AI so you can focus on what matters most", + "id": "[concat('/subscriptions/', subscription().subscriptionId, '/providers/Microsoft.Web/locations/', variables('location'), '/managedApis/azuresentinel')]", + "type": "Microsoft.Web/locations/managedApis" + } + } + } + ] +} \ No newline at end of file diff --git a/Solutions/Salem AI Cyber Analyst/Workbooks/SalemDashboard.json b/Solutions/Salem AI Cyber Analyst/Workbooks/SalemDashboard.json new file mode 100644 index 00000000000..cbff7370966 --- /dev/null +++ b/Solutions/Salem AI Cyber Analyst/Workbooks/SalemDashboard.json @@ -0,0 +1,329 @@ +{ + "$schema": "https://github.com/Microsoft/Application-Insights-Workbooks/blob/master/schema/workbook.json", + "version": "Notebook/1.0", + "items": [ + { + "type": 9, + "content": { + "version": "KqlParameterItem/1.0", + "parameters": [ + { + "id": "ea0c0933-39f4-4220-9afc-d2aca2b7afc7", + "version": "KqlParameterItem/1.0", + "name": "time_range_picker", + "label": "Time Range Picker", + "type": 4, + "isGlobal": true, + "typeSettings": { + "selectableValues": [ + { + "durationMs": 300000 + }, + { + "durationMs": 1800000 + }, + { + "durationMs": 3600000 + }, + { + "durationMs": 43200000 + }, + { + "durationMs": 86400000 + }, + { + "durationMs": 172800000 + }, + { + "durationMs": 604800000 + }, + { + "durationMs": 2592000000 + }, + { + "durationMs": 7776000000 + } + ], + "allowCustom": true + }, + "timeContext": { + "durationMs": 86400000 + }, + "value": { + "durationMs": 86400000 + } + }, + { + "id": "78694e68-cdb6-4156-9847-b19b75c2b04f", + "version": "KqlParameterItem/1.0", + "name": "row_count", + "label": "Row Count", + "type": 2, + "description": "Number of rows to display", + "isGlobal": true, + "typeSettings": { + "additionalResourceOptions": [], + "showDefault": false + }, + "jsonData": "[\n 1, 5, 25\n]", + "timeContext": { + "durationMs": 86400000 + }, + "value": "5" + } + ], + "style": "pills", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "parameters - 3" + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Top Row", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SalemAlerts_CL \n| extend pred = parse_json(prediction_s)[-1]\n| extend investigation_status = case(incident_s == \"1\", \"Threat\", incident_s == \"0\", \"False Positive\", \"Not Escalated\")\n| where investigation_status == \"Threat\"\n| summarize escalated_threats = count()\n| project Count = escalated_threats", + "size": 3, + "title": "Escalated Threats", + "noDataMessageStyle": 4, + "timeContextFromParameter": "time_range_picker", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "tileSettings": { + "showBorder": false + }, + "mapSettings": { + "locInfo": "LatLong", + "sizeSettings": "Count", + "sizeAggregation": "Sum", + "legendMetric": "Count", + "legendAggregation": "Sum", + "itemColorSettings": { + "type": "heatmap", + "colorAggregation": "Sum", + "nodeColorField": "Count", + "heatmapPalette": "greenRed" + } + }, + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "50", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SalemAlerts_CL\n| summarize Count = count()", + "size": 3, + "title": "Alerts Analyzed", + "timeContextFromParameter": "time_range_picker", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "visualization": "card", + "gridSettings": { + "rowLimit": 50 + }, + "textSettings": { + "style": "bignumber" + } + }, + "customWidth": "50", + "name": "query - 2" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SalemAlerts_CL \n| extend pred = parse_json(prediction_s)[-1]\n| extend investigation_status = case(incident_s == \"1\", \"Threat\", incident_s == \"0\", \"False Positive\", \"Not Escalated\")\n| where investigation_status == \"Threat\"\n| summarize cnt = count() by alert_name_s\n| order by cnt desc\n| project alert_name = alert_name_s, Count = cnt\n| take {row_count}", + "size": 3, + "title": "Common Escalated Threats", + "timeContextFromParameter": "time_range_picker", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "tileSettings": { + "showBorder": false, + "titleContent": { + "columnMatch": "alert_name", + "formatter": 1 + }, + "leftContent": { + "columnMatch": "Count", + "formatter": 12, + "formatOptions": { + "palette": "auto" + }, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + }, + "graphSettings": { + "type": 0, + "topContent": { + "columnMatch": "alert_name", + "formatter": 1 + }, + "centerContent": { + "columnMatch": "Count", + "formatter": 1, + "numberFormat": { + "unit": 17, + "options": { + "maximumSignificantDigits": 3, + "maximumFractionDigits": 2 + } + } + } + } + }, + "customWidth": "50", + "name": "query - 3" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SalemAlerts_CL \n| summarize cnt = count() by alert_name_s\n| order by cnt desc\n| project alert_name = alert_name_s, Count = cnt\n| take {row_count}", + "size": 3, + "title": "Common Alerts", + "timeContextFromParameter": "time_range_picker", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "customWidth": "50", + "name": "query - 5" + } + ] + }, + "name": "Top Row", + "styleSettings": { + "margin": "5", + "padding": "5", + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Most Targeted", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SalemAlerts_CL \n| extend pred = parse_json(prediction_s)[-1]\n| extend investigation_status = case(incident_s == \"1\", \"Threat\", incident_s == \"0\", \"False Positive\", \"Not Escalated\")\n| where investigation_status == \"Threat\"\n| extend context = parse_json(context_s)\n| mv-expand context.account\n| where isnotempty( context_account) \n| summarize cnt = count() by tostring(context_account)\n| order by cnt desc \n| take 5\n| project Targeted_Accounts = context_account, Count = cnt", + "size": 3, + "timeContextFromParameter": "time_range_picker", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "sortBy": [] + }, + "customWidth": "50", + "name": "query - 4" + }, + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SalemAlerts_CL\n| where incident_s == \"1\"\n| extend context = parse_json(context_s)\n| extend res_context = case(set_has_element(context.dest, \"external_resource\"), context.src, context.dest)\n| mv-expand res_context\n| where res_context !in (\"internal_resource\",\"isHostName\")\n| where isnotempty(res_context)\n| summarize Count = count() by tostring(res_context)\n| order by Count desc\n| project Targeted_Resources = res_context, Count\n| take {row_count}", + "size": 3, + "timeContextFromParameter": "time_range_picker", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "sortBy": [] + }, + "customWidth": "50", + "name": "query - 4 - Copy" + } + ] + }, + "name": "most_targeted", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Alert Trend", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "range days from {time_range_picker:start} to {time_range_picker:end} step 1d\n| project days, day_only = format_datetime(days, \"MM/dd/yyyy\")\n| join kind=leftouter (\n SalemAlerts_CL\n | summarize alerts = count() by bin(report_time_t, 1d)\n | project report_time_t, alerts\n | join kind=leftouter (\n SalemAlerts_CL\n | where incident_s == \"1\"\n | summarize threats = count() by bin(report_time_t, 1d)\n | project report_time_t, threats\n ) on report_time_t\n | project day_only = format_datetime(report_time_t1, \"MM/dd/yyyy\"), alerts, threats\n) on day_only\n| project days, alerts = case(isempty(alerts), 0, alerts) , threats = case(isempty(threats), 0, threats)\n| order by days asc \n| render timechart", + "size": 0, + "timeContextFromParameter": "time_range_picker", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces" + }, + "name": "query - 2" + } + ] + }, + "name": "Alert Trend", + "styleSettings": { + "showBorder": true + } + }, + { + "type": 12, + "content": { + "version": "NotebookGroup/1.0", + "groupType": "editable", + "title": "Alerts in Table", + "items": [ + { + "type": 3, + "content": { + "version": "KqlItem/1.0", + "query": "SalemAlerts_CL\n| extend pred = parse_json(prediction_s)[-1]\n| extend treat_level = case(pred > 0.7, \"High\", pred < 0.35, \"Low\", \"Medium\")\n| extend investigation_status = case(incident_s == \"1\", \"Threat\", incident_s == \"0\", \"False Positive\", \"Not Escalated\")\n| project report_time_t, id_s, alert_name_s, treat_level, investigation_status", + "size": 3, + "timeContextFromParameter": "time_range_picker", + "queryType": 0, + "resourceType": "microsoft.operationalinsights/workspaces", + "gridSettings": { + "sortBy": [ + { + "itemKey": "report_time_t", + "sortOrder": 2 + } + ] + }, + "sortBy": [ + { + "itemKey": "report_time_t", + "sortOrder": 2 + } + ] + }, + "name": "query - 2" + } + ] + }, + "name": "group - 5", + "styleSettings": { + "showBorder": true + } + } + ] + } \ No newline at end of file