Merge pull request #9322 from nlepagnez/New-Solution-Components

New solution components

.script/tests/KqlvalidationsTests/CustomFunctions/ExchangeAdminAuditLogs.json

@@ -24,7 +24,7 @@
       },
       {
         "Name": "IsVIP",
-        "Type": "String"
+        "Type": "bool"
       },
       {
         "Name": "CmdletName",
@@ -38,10 +38,18 @@
         "Name": "IsSensitiveCmdlet",
         "Type": "bool"
       },
+      {
+        "Name": "IsRestrictedCmdLet",
+        "Type": "bool"
+      },
       {
         "Name": "IsRestrictedParameters",
         "Type": "bool"
       },
+      {
+        "Name": "IsSenstiveCmdletParameters",
+        "Type": "bool"
+      },
       {
         "Name": "ExtractedParameters",
         "Type": "dynamic"

.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json

@@ -3183,6 +3183,11 @@
     "templateName": "CrowdStrikeReplicatorV2.yaml",
     "validationFailReason": "Temporarily Added for Parser KQL Queries validation"
   },
+  {
+    "id": "9f0e2122-f511-4e51-83a0-51fbd86d3121",
+    "templateName": "MESCheckVIP.yaml",
+    "validationFailReason": "Temporarily Added for Parser KQL Queries validation"
+  },
   {
     "id": "600db9e0-1c11-4295-a88a-071c79434926",
     "templateName": "AccountElevatedtoNewRole.yaml",

Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/CriticalCmdletsUsageDetection.yaml

@@ -6,7 +6,7 @@ requiredDataConnectors:
   - connectorId: ESI-ExchangeAdminAuditLogEvents
     dataTypes:
       - Event
-severity: Low
+severity: Medium
 queryFrequency: 30m
 queryPeriod: 1h
 triggerOperator: gt
@@ -21,11 +21,11 @@ relevantTechniques:
   - T1098
   - T1114
 query: |
+  let VIPRestriction = "on";
   ExchangeAdminAuditLogs
-  | where ingestion_time() > ago(30m)
-  | where IsSensitive == true
-  | where UserOriented =~ 'Yes'
-  | where IsVIP == true
+  | where IsVIP or VIPRestriction =~ "off"
+  | where UserOriented =~ 'Yes' and IsSensitive and ((IsRestrictedCmdLet and IsSenstiveCmdletParameters) or IsRestrictedCmdLet == false)
+  | extend Level = iif (Status == "Failure", "Medium", "High")
 entityMappings:
 - entityType: Mailbox
   fieldMappings:
@@ -47,5 +47,9 @@ entityMappings:
   fieldMappings:
     - identifier: Name
       columnName: Caller
-version: 1.0.1
+alertDetailsOverride:
+  alertDisplayNameFormat: "{{CmdletName}} executed on {{TargetObject}}"
+  alertDescriptionFormat: "Alert from Microsoft Exchange Security as {{CmdletName}} with parameters {{CmdletParameters}} was executed on {{TargetObject}}"
+  alertSeverityColumnName: Level 
+version: 1.2.0
 kind: Scheduled

Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/ServerOrientedWithUserOrientedAdministration.yaml

@@ -37,7 +37,6 @@ query: |
         ExchangeAdminAuditLogs
         | where TimeGenerated > ago(timeframe)
         | where UserOriented =~ 'Yes'
-        | lookup kind=leftouter _GetWatchlist('ExchangeVIP') on $left.TargetObject == $right.canonicalName
         | project userExecutedTime = TimeGenerated,
           UserCmdlet = CmdletName,
           UserCmdletParams = CmdletParameters,
@@ -73,6 +72,6 @@ entityMappings:
     - identifier: Name
       columnName: Caller
     - identifier: ObjectGuid
-      columnName: TargetObject
-version: 1.0.1
+      columnName: objectGUID
+version: 1.2.0
 kind: Scheduled

Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/ESI-ExchangeOnPremisesCollector.json

@@ -66,7 +66,7 @@
     },
     "instructionSteps": [
         {
-            "title": "Parser deployment (When using Microsoft Exchange Security Solution, Parsers are automatically deployed)", 
+            "title": "Parser deployment **(When using Microsoft Exchange Security Solution, Parsers are automatically deployed)**", 
             "description": ">**NOTE:** This data connector depends on a parser based on a Kusto Function to work as expected. Follow the steps for each Parser to create the Kusto Functions alias : [**ExchangeConfiguration**](https://aka.ms/sentinel-ESI-ExchangeConfiguration-OnPrem-parser) and [**ExchangeEnvironmentList**](https://aka.ms/sentinel-ESI-ExchangeEnvironmentList-OnPrem-parser)",
             "instructions": [ 
                 {
@@ -105,15 +105,15 @@
                         "instructionSteps": [
                             {
                                 "title": "Download the latest version of ESI Collector",
-                                "description": "The latest version can be found here : https://aka.ms/ESI-ExchangeCollector-Script"
+                                "description": "The latest version can be found here : https://aka.ms/ESI-ExchangeCollector-Script. The file to download is CollectExchSecIns.zip"
                             },
                             {
                                 "title": "Copy the script folder",
                                 "description": "Unzip the content and copy the script folder on a server where Exchange PowerShell Cmdlets are present."
                             },
                             {
-                                "title": "Unlock the PS1 Scripts",
-                                "description": "Click right on each PS1 Script and go to Properties tab.\n If the script is marked as locked, unlock it."
+                                "title": "Unblock the PS1 Scripts",
+                                "description": "Click right on each PS1 Script and go to Properties tab.\n If the script is marked as blocked, unblock it. You can also use the Cmdlet 'Unblock-File *.* in the unzipped folder using PowerShell."
                             },
                             {
                                 "title": "Configure Network Access ",
@@ -127,7 +127,7 @@
         },
         {
             "title": "2. Configure the ESI Collector Script",
-            "description": "Be sure to be local administrator of the server.\nIn 'Run as Administrator' mode, launch the 'setup.ps1' script to configure the collector.\n Fill the Log Analytics (Microsoft Sentinel) Workspace information.\n Fill the Environment name or leave empty.",
+            "description": "Be sure to be local administrator of the server.\nIn 'Run as Administrator' mode, launch the 'setup.ps1' script to configure the collector.\n Fill the Log Analytics (Microsoft Sentinel) Workspace information.\n Fill the Environment name or leave empty. By default, choose 'Def' as Default analysis. The other choices are for specific usage.",
             "instructions": [
                 {
                     "parameters": {
@@ -151,12 +151,12 @@
         },
         {
             "title": "3. Schedule the ESI Collector Script (If not done by the Install Script due to lack of permission or ignored during installation)",
-            "description": "The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs the be Exchange Organization Administrator"
+            "description": "The script needs to be scheduled to send Exchange configuration to Microsoft Sentinel.\n We recommend to schedule the script once a day.\n The account used to launch the Script needs to be member of the group Organization Management"
         }
     ],
     "metadata": {
         "id": "ed950fd7-e457-4a59-88f0-b9c949aa280d",
-        "version": "1.1.0",
+        "version": "1.2.0",
         "kind": "dataConnector",
         "source": {
             "kind": "solution",

Solutions/Microsoft Exchange Security - Exchange On-Premises/Data Connectors/azuredeploy_ESI_DCR_Option1MSExchangeAuditLogs.json

@@ -0,0 +1,73 @@
+{
+    "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
+    "contentVersion": "1.0.0.0",
+    "parameters": {
+    "dcrName": {
+      "type": "string",
+      "defaultValue": "DCR-Option1-MSExchangeAuditLogs",
+      "minLength": 1,
+      "metadata": {
+        "description": "Name of the data collection rule"
+      }
+    },
+    "location": {
+      "type": "string",
+      "defaultValue": "[resourceGroup().location]",
+      "metadata": {
+        "description": "Location for data collection rule"
+      }
+    },
+    "workspacename": {
+      "type": "string",
+      "minLength": 1,
+      "metadata": {
+        "description": "The log analitycs workspace name"
+      }
+    }
+    },
+    "variables": {
+        "workspaceResourceId": "[concat('/subscriptions/',subscription().subscriptionId,'/resourceGroups/',resourceGroup().name,'/providers/Microsoft.operationalinsights/workspaces/',parameters('workspacename'))]"
+    },
+    "resources": [
+        {
+            "type": "Microsoft.Insights/dataCollectionRules",
+            "apiVersion": "2021-09-01-preview",
+            "name": "[parameters('dcrName')]",
+            "location": "[parameters('location')]",
+            "kind": "Windows",
+            "properties": {
+                "dataSources": {
+                    "windowsEventLogs": [
+                        {
+                            "streams": [
+                                "Microsoft-Event"
+                            ],
+                            "xPathQueries": [
+                                "\\MSExchange Management!*"
+                            ],
+                            "name": "eventLogsDataSource"
+                        }
+                    ]
+                },
+                "destinations": {
+                    "logAnalytics": [
+                        {
+                            "workspaceResourceId": "[variables('workspaceResourceId')]",
+                            "name": "la-data-destination"
+                        }
+                    ]
+                },
+                "dataFlows": [
+                    {
+                        "streams": [
+                            "Microsoft-Event"
+                        ],
+                        "destinations": [
+                            "la-data-destination"
+                        ]
+                    }
+                ]
+            }
+        }
+    ]
+}

Solutions/Microsoft Exchange Security - Exchange On-Premises/Data/Solution_MicrosoftExchangeSecurity.json

@@ -10,7 +10,8 @@
   "Parsers": [
     "Parsers/ExchangeAdminAuditLogs.yaml",
 	"Parsers/ExchangeConfiguration.yaml",
-	"Parsers/ExchangeEnvironmentList.yaml"
+	"Parsers/ExchangeEnvironmentList.yaml",
+  "Parsers/MESCheckVIP.yaml"
   ],
    "Workbooks": [
 	"Workbooks/Microsoft Exchange Least Privilege with RBAC.json",
@@ -22,8 +23,13 @@
     "Analytic Rules/CriticalCmdletsUsageDetection.yaml",
 	"Analytic Rules/ServerOrientedWithUserOrientedAdministration.yaml"
   ],
+  "Watchlists": [
+    "Watchlists/ExchangeServicesMonitoring.json",
+	  "Watchlists/ExchangeVIP.json"
+  ],
+  "WatchlistDescription": ["List of important Exchange Windows Services that should be monitored","ExchangeVIP Watchlist contains a list of VIP users that are allowed to perform privileged operations on Exchange Servers. This watchlist is used by the ServerOrientedWithUserOrientedAdministration rule to detect suspicious activity by VIP users."],
   "BasePath": "C:\\Git Repositories\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange On-Premises\\",
-  "Version": "3.0.0",
+  "Version": "3.1.0",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1Pconnector": false

Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/createUiDefinition.json

@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20On-Premises/ReleaseNotes.md)\r \n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Windows Event logs collection, including MS Exchange Management Event logs](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events)\n\nb. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 2, **Parsers:** 3, **Workbooks:** 4, **Analytic Rules:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/Azure_Sentinel.svg\"width=\"75px\"height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Exchange%20Security%20-%20Exchange%20On-Premises/ReleaseNotes.md)\r \n  _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nThe Exchange Security Audit and Configuration Insight solution analyze Exchange On-Premises configuration and logs from a security lens to provide insights and alerts.\n\n**Underlying Microsoft Technologies used:**\n\nThis solution takes a dependency on the following technologies, and some of these dependencies either may be in [Preview](https://azure.microsoft.com/support/legal/preview-supplemental-terms/) state or might result in additional ingestion or operational costs:\n\na. [Windows Event logs collection, including MS Exchange Management Event logs](https://learn.microsoft.com/azure/azure-monitor/agents/data-sources-windows-events)\n\nb. [Custom logs ingestion via Data Collector REST API](https://learn.microsoft.com/en-us/azure/azure-monitor/logs/data-collector-api?tabs=powershell)\n\n**Data Connectors:** 2, **Parsers:** 4, **Workbooks:** 4, **Analytic Rules:** 2, **Watchlists:** 2\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -107,7 +107,7 @@
             "name": "dataconnectors-parser-text",
             "type": "Microsoft.Common.TextBlock",
             "options": {
-              "text": "The solution installs three (3) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, ExchangeAdminAuditLogs and ExchangeEnvironmentList Kusto Function aliases."
+              "text": "The solution installs three (4) parsers that transform ingested data. The transformed logs can be accessed using the ExchangeConfiguration, ExchangeAdminAuditLogs, MESCheckVIP and ExchangeEnvironmentList Kusto Function aliases."
             }
 }
             ]
@@ -263,6 +263,56 @@
             ]
           }
         ]
+      },
+      {
+        "name": "watchlists",
+        "label": "Watchlists",
+        "subLabel": {
+          "preValidation": "Configure the watchlists",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Watchlists",
+        "elements": [
+          {
+            "name": "watchlists-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "Microsoft Sentinel watchlists enable the collection of data from external data sources for correlation with the events in your Microsoft Sentinel environment. Once created, you can use watchlists in your search, detection rules, threat hunting, and response playbooks. Watchlists are stored in your Microsoft Sentinel workspace as name-value pairs and are cached for optimal query performance and low latency. Once deployment is successful, the installed watchlists will be available in the Watchlists blade under 'My Watchlists'.",
+              "link": {
+                "label": "Learn more",
+                "uri": "https://aka.ms/sentinelwatchlists"
+              }
+            }
+          },
+          {
+            "name": "watchlist1",
+            "type": "Microsoft.Common.Section",
+            "label": "Exchange Services Monitoring",
+            "elements": [
+              {
+                "name": "watchlist1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "List of important Exchange Windows Services that should be monitored"
+                }
+              }
+            ]
+          },
+          {
+            "name": "watchlist2",
+            "type": "Microsoft.Common.Section",
+            "label": "Exchange VIP",
+            "elements": [
+              {
+                "name": "watchlist2-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "ExchangeVIP Watchlist contains a list of VIP users that are allowed to perform privileged operations on Exchange Servers. This watchlist is used by the ServerOrientedWithUserOrientedAdministration rule to detect suspicious activity by VIP users."
+                }
+              }
+            ]
+          }
+        ]
       }
     ],
     "outputs": {