-
Notifications
You must be signed in to change notification settings - Fork 3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
discarded changes updated with master
- Loading branch information
1 parent
78c05f2
commit c7f3b2d
Showing
4 changed files
with
138 additions
and
0 deletions.
There are no files selected for viewing
30 changes: 30 additions & 0 deletions
30
Tools/Create-Azure-Sentinel-Solution/V2/input/Solution_MicrosoftExchangeSecurity.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,30 @@ | ||
| { | ||
| "Name": "Microsoft Exchange Security - Exchange On-Premises", | ||
| "Author": "Microsoft - support@microsoft.com", | ||
| "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">", | ||
| "Description": "The Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Windows Event logs collection, including MS Exchange Management Event logs](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events)\n\nb. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)", | ||
| "Data Connectors": [ | ||
| "Data Connectors/ESI-ExchangeAdminAuditLogEvents.json", | ||
| "Data Connectors/ESI-ExchangeOnPremisesCollector.json" | ||
| ], | ||
| "Parsers": [ | ||
| "Parsers/ExchangeAdminAuditLogs.txt", | ||
| "Parsers/ExchangeConfiguration.txt", | ||
| "Parsers/ExchangeEnvironmentList.txt" | ||
| ], | ||
| "Workbooks": [ | ||
| "Workbooks/Microsoft Exchange Least Privilege with RBAC.json", | ||
| "Workbooks/Microsoft Exchange Search AdminAuditLog.json", | ||
| "Workbooks/Microsoft Exchange Admin Activity.json", | ||
| "Workbooks/Microsoft Exchange Security Review.json" | ||
| ], | ||
| "Analytic Rules": [ | ||
| "Analytic Rules/CriticalCmdletsUsageDetection.yaml", | ||
| "Analytic Rules/ServerOrientedWithUserOrientedAdministration.yaml" | ||
| ], | ||
| "BasePath": "C:\\Git Repositories\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange On-Premises\\", | ||
| "Version": "2.0.0", | ||
| "Metadata": "SolutionMetadata.json", | ||
| "TemplateSpec": true, | ||
| "Is1Pconnector": false | ||
| } |
23 changes: 23 additions & 0 deletions
23
...te-Azure-Sentinel-Solution/V2/input/Solution_MicrosoftExchangeSecurityExchangeOnline.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,23 @@ | ||
| { | ||
| "Name": "Microsoft Exchange Security - Exchange Online", | ||
| "Author": "Microsoft - support@microsoft.com", | ||
| "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">", | ||
| "Description": "The Exchange Security Audit and Configuration Insight solution analyze Exchange Online configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)", | ||
| "Data Connectors": [ | ||
| "Data Connectors/ESI-ExchangeOnlineCollector.json" | ||
| ], | ||
| "Parsers": [ | ||
| "Parsers/ExchangeConfiguration.txt", | ||
| "Parsers/ExchangeEnvironmentList.txt" | ||
| ], | ||
| "Workbooks": [ | ||
| "Workbooks/Microsoft Exchange Least Privilege with RBAC - Online.json", | ||
| "Workbooks/Microsoft Exchange Security Review - Online.json" | ||
| ], | ||
| "Analytic Rules": [], | ||
| "BasePath": "C:\\Git Repositories\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange Online", | ||
| "Version": "2.0.0", | ||
| "Metadata": "SolutionMetadata.json", | ||
| "TemplateSpec": true, | ||
| "Is1Pconnector": false | ||
| } |
44 changes: 44 additions & 0 deletions
44
Tools/Create-Azure-Sentinel-Solution/input/Solution_CyberArkEPM.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,44 @@ | ||
| { | ||
| "Name": "CyberArkEPM", | ||
| "Author": "CyberArk Business Development - business_development@cyberark.com", | ||
| "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/CyberArk_Logo.svg\" width=\"75px\" height=\"75px\">", | ||
| "Description": "Endpoint Privilege Manager, a critical and foundational endpoint control addresses the underlying weaknesses of endpoint defenses against a privileged attacker and helps enterprises defend against these attacks.", | ||
| "Data Connectors": [ | ||
| "Solutions/CyberArkEPM/DataConnectors/CyberArkEPM_API_FunctionApp.json" | ||
| ], | ||
| "Parsers": [ | ||
| "Solutions/CyberArkEPM/Parsers/CyberArkEPM.txt" | ||
| ], | ||
| "Hunting Queries": [ | ||
| "Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMElevationRequests.yaml", | ||
| "Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMPowershellDownloads.yaml", | ||
| "Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMPowershellExecutionParameters.yaml", | ||
| "Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMProcessNewHash.yaml", | ||
| "Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMProcessesAccessedInternet.yaml", | ||
| "Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMProcessesRunAsAdmin.yaml", | ||
| "Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMRareProcVendors.yaml", | ||
| "Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMRareProcessesRunByUsers.yaml", | ||
| "Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMScriptsExecuted.yaml", | ||
| "Solutions/CyberArkEPM/Hunting Queries/CyberArkEPMSuspiciousActivityAttempts.yaml" | ||
| ], | ||
| "Analytic Rules": [ | ||
| "Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMAttackAttemptNotBlocked.yaml", | ||
| "Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMMSBuildLOLBin.yaml", | ||
| "Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMMultipleAttackAttempts.yaml", | ||
| "Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMNewProcessStartetFromSystem.yaml", | ||
| "Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMPossibleExecutionOfPowershellEmpire.yaml", | ||
| "Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMProcessChangedStartLocation.yaml", | ||
| "Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRareProcInternetAccess.yaml", | ||
| "Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMRenamedWindowsBinary.yaml", | ||
| "Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMUnexpectedExecutableExtension.yaml", | ||
| "Solutions/CyberArkEPM/Analytic Rules/CyberArkEPMUnexpectedExecutableLocation.yaml" | ||
| ], | ||
| "Workbooks": [ | ||
| "Solutions/CyberArkEPM/Workbooks/CyberArkEPM.json" | ||
| ], | ||
| "BasePath": "/Users/Julie.Mauch/Documents/GitHub/Azure-Sentinel/Solutions/CyberArkEPM", | ||
| "Version": "2.0.0", | ||
| "Metadata": "SolutionMetadata.json", | ||
| "TemplateSpec": true, | ||
| "Is1PConnector": false | ||
| } |
41 changes: 41 additions & 0 deletions
41
Tools/Create-Azure-Sentinel-Solution/input/Solution_DNS.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,41 @@ | ||
| { | ||
| "Name": "DNS Domain Solution for Microsoft Sentinel", | ||
| "Author": "Microsoft - support@microsoft.com", | ||
| "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\" width=\"75px\" height=\"75px\">", | ||
| "Description": "This is a [domain solution](https://nam06.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fazure%2Fsentinel%2Fsentinel-solutions-catalog%23domain-solutions&data=05%7C01%7Ckavishbakshi%40microsoft.com%7Cbe2a496082b24caa4b8c08da9cefacca%7C72f988bf86f141af91ab2d7cd011db47%7C1%7C0%7C637994850502413731%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000%7C%7C%7C&sdata=OJegu%2B2EqD7rmYmK9pm9QniD6YWp5ooloZ6tHzcwVi0%3D&reserved=0) and does not include any data connectors. The content in this solution requires one of the product solutions below , as well as any other connector or data source normalized to the [ASIM](https://aka.ms/AboutASIM).\n\n**Prerequisite :-**\n\n Install one or more of the listed solutions, or develop your custom ASIM parsers to unlock the value provided by this solution.\n 1. Windows Server DNS \n 2. Azure Firewall \n 3. Cisco Umbrella \n 4. Corelight Zeek \n 5. Google Cloud Platform DNS \n 6. Infoblox NIOS \n 7. ISC Bind \n 8. Vectra AI \n 9. Zscaler Internet Access \n\n**Underlying Microsoft Technologies used:** \n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in Preview state or might result in additional ingestion or operational costs: \n 1. Product solutions as described above \n 2. Logic app for data summarization\n\n**Recommendation :-**\n\nIt is highly recommended to use the **Summarize data** logic app playbook provided with this solution as it will significantly improve the performance of the Workbook, Analytic rules & Hunting queries.", | ||
| "Workbooks": ["Workbooks/DNSSolutionWorkbook.json"], | ||
| "Analytic Rules": [ | ||
| "Analytic Rules/DNSRequestToMaliciousDomain.yaml", | ||
| "Analytic Rules/ExcessiveNXDOMAINDNSQueriesAnomalyBased.yaml", | ||
| "Analytic Rules/ExcessiveNXDOMAINDNSQueriesStaticThresholdBased.yaml", | ||
| "Analytic Rules/MultipleErrorsReportedForSameDNSQueryAnomalyBased.yaml", | ||
| "Analytic Rules/MultipleErrorsReportedForSameDNSQueryStaticThresholdBased.yaml", | ||
| "Analytic Rules/PotentialDGADetectedviaRepetitiveFailuresAnomalyBased.yaml", | ||
| "Analytic Rules/PotentialDGADetectedviaRepetitiveFailuresStaticThresholdBased.yaml", | ||
| "Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountAnomalyBased.yaml", | ||
| "Analytic Rules/RareClientObservedWithHighReverseDNSLookupCountStaticThresholdBased.yaml" | ||
| ], | ||
| "Playbooks": ["Playbooks/SummarizeData/azuredeploy.json"], | ||
| "Hunting Queries": [ | ||
| "Hunting Queries/AnomalousIncreaseInDNSActivityByClients.yaml", | ||
| "Hunting Queries/ConnectionToUnpopularWebsiteDetected.yaml", | ||
| "Hunting Queries/CVE-2020-1350 (SIGRED)ExploitationPattern.yaml", | ||
| "Hunting Queries/DNSQueryWithFailuresInLast24Hours.yaml", | ||
| "Hunting Queries/DNSRequestsToRiskyDomains.yaml", | ||
| "Hunting Queries/DomainsWithLargeNumberOfSubDomains.yaml", | ||
| "Hunting Queries/IncreaseInDNSRequestsByClientThanTheDailyAverageCount.yaml", | ||
| "Hunting Queries/PossibleDNSTunnelingOrDataExfilterationActivity.yaml", | ||
| "Hunting Queries/PotentialBeaconingActivity.yaml", | ||
| "Hunting Queries/Sources(Clients)WithHighNumberOfErrors.yaml", | ||
| "Hunting Queries/UnexpectedTopLevelDomains.yaml" | ||
| ], | ||
| "Watchlists": [ | ||
| "Watchlists/DNS_Solution_Monitoring_Configuration.json", | ||
| "Watchlists/DNS_Solution_Domain_IOCs.json" | ||
| ], | ||
| "BasePath": "C:\\Users\\vakohl\\Documents\\GitHub\\Azure-Sentinel\\Solutions\\DNS Domain Solution for Microsoft Sentinel", | ||
| "Version": "2.0.0", | ||
| "Metadata": "SolutionMetadata.json", | ||
| "TemplateSpec": true, | ||
| "Is1PConnector": false | ||
| } |