Merge pull request #7743 from jonbagg/Salem

Initial Push of Salem Cyber Integration
Azure · Aug 29, 2023 · f5feaff · f5feaff
2 parents 52c84c5 + a1021ba
commit f5feaff
Show file tree

Hide file tree

Showing 13 changed files with 6,720 additions and 5,420 deletions.
diff --git a/Logos/salem_logo.svg b/Logos/salem_logo.svg
diff --git a/Sample Data/SalemCyber.csv b/Sample Data/SalemCyber.csv
@@ -0,0 +1,6 @@
+TenantId,SourceSystem,TimeGenerated [UTC],Computer,RawData,report_time_t [UTC],id_g,date_s,receive_time_s,alert_source_s,raw_s,alert_name_s,parsed_s,context_s,actions_s,prediction_s,updated_by_s,incident_s,source_s,Type
+00000000-0000-0000-0000-000000000000,RestAPI,"7/30/2023, 7:19:16.731 PM",,,"7/30/2023, 7:19:15.361 PM",00000000-0000-0000-0000-000000000001,7/30/2023,1690744624,sentinel,"{'custom_details': {}, 'earliest': '2023-07-16 19:12:00Z', 'entities': [{'$id': '3', 'Name': 'Partner-Integration', 'Type': 'account'}], 'incident_id': 550, 'latest': '2023-07-30 19:12:01Z'}",Service Principal Authentication Attempt from New Country,"{'earliest': '2023-07-16 19:12:00Z', 'entities': [{'$id': '3', 'Name': 'Partner-Integration', 'Type': 'account'}], 'incident_id': 550, 'latest': '2023-07-30 19:12:01Z', 'account': ['Partner-Integration'], 'alert_name': 'Service Principal Authentication Attempt from New Country'}","{'action': ['authentication'], 'account': ['shared_access_key']}","['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922']","[0.8330117799341679, 0.8330117799341679]",[],1,Salem,SalemAlerts_CL
+00000000-0000-0000-0000-000000000002,RestAPI,"7/27/2023, 11:13:26.097 AM",,,"7/27/2023, 11:13:24.722 AM",00000000-0000-0000-0000-000000000003,7/27/2023,1690456295,sentinel,"{'custom_details': {'app': ['Miro'], 'account': ['jan.bragg@example.com'], 'result': ['50074'], 'description': ['Strong Authentication is required.']}, 'earliest': '2023-07-26 11:06:30Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'Type': 'account'}, {'$id': '4', 'Address': '2600:0000:0000:0000:0000:0000:0000:f0e1', 'Type': 'ip'}], 'incident_id': 543, 'latest': '2023-07-27 11:06:31Z'}",Successful logon from IP and failure from a different IP,"{'custom_details__app': ['Miro'], 'custom_details__account': ['jan.bragg@example.com'], 'custom_details__result': ['50074'], 'custom_details__description': ['Strong Authentication is required.'], 'earliest': '2023-07-26 11:06:30Z', 'entities': [{'$id': '3', 'Name': jan.bragg', 'UPNSuffix': 'example.com', 'Type': 'account'}, {'$id': '4', 'Address': '2600:0000:0000:0000:0000:0000:0000:f0e1', 'Type': 'ip'}], 'incident_id': 543, 'latest': '2023-07-27 11:06:31Z', 'account': ['jan.bragg'], 'alert_name': 'Successful logon from IP and failure from a different IP'}","{'action': ['authentication'], 'dest': ['cloud_service'], 'program':['approved_program']}","['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922', 'UserGen_action.failure_1680017671', 'UserGen_action.failure_1680099173', 'UserGen_action.failure_1680532569', 'UserGen_action.failure_1688659161']","[0.4487365037202835, 0.2812345498983101]",[],0,Salem,SalemAlerts_CL
+00000000-0000-0000-0000-000000000003,RestAPI,"7/27/2023, 7:35:38.856 PM",,,"7/27/2023, 7:35:37.094 PM",00000000-0000-0000-0000-000000000004,7/27/2023,1690486413,sentinel,"{'custom_details': {}, 'earliest': '2023-07-20 19:28:29Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}, {'$id': '4', 'Address': '123.123.123.123', 'Type': 'ip'}], 'incident_id': 544, 'latest': '2023-07-27 19:28:30Z'}",Failed login attempts to Azure Portal,"{'earliest': '2023-07-20 19:28:29Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}, {'$id': '4', 'Address': '123.123.123.123', 'Type': 'ip'}], 'incident_id': 544, 'latest': '2023-07-27 19:28:30Z', 'account': ['jan.bragg'], 'alert_name': 'Failed login attempts to Azure Portal'}","{'action': ['authentication', 'expected_aciton'], 'dest': ['cloud_service']}","['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922']","[0.4976343959569931, 0.1197867461203676]",[],0,Salem,SalemAlerts_CL
+00000000-0000-0000-0000-000000000004,RestAPI,"7/27/2023, 7:53:22.111 PM",,,"7/27/2023, 7:53:21.738 PM",00000000-0000-0000-0000-000000000005,7/27/2023,1690487481,sentinel,"{'custom_details': {'country': ['LV'], 'user_agent': ['[""Dalvik/2.1.0 (Linux; U; Android 13; Pixel 6 Build/TQ3A.230705.001) ;Pixel 6""]'], 'src_host': ['[""""]'], 'src_ip': ['[""123.123.123.123""]'], 'result': ['[""0 - ""]'], 'user': ['jan.bragg@example.com']}, 'earliest': '2023-07-13 19:46:17Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}], 'incident_id': 545, 'latest': '2023-07-27 19:46:18Z'}",Authentication Attempt from New Country,"{'custom_details__country': ['LV'], 'custom_details__user_agent': ['[""Dalvik/2.1.0 (Linux; U; Android 13; Pixel 6 Build/TQ3A.230705.001) ;Pixel 6""]'], 'custom_details__src_host': ['[""""]'], 'custom_details__src_ip': ['[""123.123.123.123""]'], 'custom_details__result': ['[""0 - ""]'], 'custom_details__user': ['jan.bragg@example.com'], 'earliest': '2023-07-13 19:46:17Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}], 'incident_id': 545, 'latest': '2023-07-27 19:46:18Z', 'account': ['jan.bragg'], 'alert_name': 'Authentication Attempt from New Country'}","{'action': ['authentication'] 'account': ['on_travel', 'domain_account']}","['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922', 'UserGen_action.failure_1680017671', 'UserGen_action.unapproved_action_1680017995', 'UserGen_action.failure_1680099173', 'UserGen_action.failure_1680532569', 'UserGen_action.failure_1688659161']","[0.4487365037202835, 0.3422004755431098]",[],0,Salem,SalemAlerts_CL
+00000000-0000-0000-0000-000000000006,RestAPI,"7/25/2023, 2:42:40.263 PM",,,"7/25/2023, 2:42:37.783 PM",00000000-0000-0000-0000-000000000007,7/25/2023,1690296007,sentinel,"{'custom_details': {'city': ['Mumbai'], 'src_os': ['Windows 10'], 'account': ['jan.bragg@example.com'], 'process': ['Edge 18.19045'], 'logon_type': ['AADNonInteractiveUserSignInLogs'], 'region': ['IN'], 'src': ['[""123.123.123.123"",""123.123.123.124""]'], 'app': ['Microsoft Office'], 'result': ['[""failure""]']}, 'earliest': '2023-07-24 14:35:02Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}], 'incident_id': 541, 'latest': '2023-07-25 14:35:03Z'}",Attempt to bypass conditional access rule in Azure AD,"{'custom_details__city': ['Mumbai'], 'custom_details__src_os': ['Windows 10'], 'custom_details__account': ['jan.bragg@example.com'], 'custom_details__process': ['Edge 18.19045'], 'custom_details__logon_type': ['AADNonInteractiveUserSignInLogs'], 'custom_details__region': ['IN'], 'custom_details__src': ['[""123.123.123.123"",""123.123.123.124""]'], 'custom_details__app': ['Microsoft Office'], 'custom_details__result': ['[""failure""]'], 'earliest': '2023-07-24 14:35:02Z', 'entities': [{'$id': '3', 'Name': 'jan.bragg', 'UPNSuffix': 'example.com', 'IsDomainJoined': True, 'DisplayName': 'jan.bragg@example.com', 'Type': 'account'}], 'incident_id': 541, 'latest': '2023-07-25 14:35:03Z', 'account': ['jan.bragg'], 'alert_name': 'Attempt to bypass conditional access rule in Azure AD'}","{'dest': ['cloud_service'], 'action': ['authentication', 'failure'], 'account':['mfa_enabled']}","['default_context_lookup', 'naming-convention-admin-users-ActionConf', 'naming-convention-service-accounts-ActionConf', 'naming-convention-domain-account-ActionConf', 'email-domains-ActionConf', 'default_account_match', 'demo_svc_account', 'system_account', 'default_anonymous', 'UserGen_account.regular_user_1676650826', 'UserGen_account.regular_user_1679064922', 'UserGen_action.failure_1680017671', 'UserGen_action.failure_1680099173', 'UserGen_action.failure_1680532569', 'UserGen_action.failure_1688659161']","[0.49763429164886475, 0.0329890876554427]",[],0,Salem,SalemAlerts_CL
diff --git a/Solutions/SalemCyber/Data/Solution_Salem.json b/Solutions/SalemCyber/Data/Solution_Salem.json
@@ -0,0 +1,25 @@
+{
+  "Name": "SalemCyber",
+  "Author": "Salem Cyber - support@salemcyber.com",
+  "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/salem_logo.svg\" width=\"75px\" height=\"75px\">",
+  "Description": "Salem, [AI Cyber analyst](https://salemcyber.com), **automatically investigates** Microsoft Sentinel alerts and escalates validated threats that require your attention. \n\nThis Microsoft Sentinel integration allows you to send new Microsoft Sentinel alerts to Salem for analysis and reporting.\n\n**Why Salem?** \n\nMost alerts are false positives. Salem automatically triages noisy cyber alerts to find a small number of threats that require your attention. \n\nSalem scales the impact of your cyber team by helping you respond well 24/7 to a wide range of security threats. \n\nSalem's AI learns from your team and customizes its analysis to your cyber relevant business context. \n\n**Get Started with Salem** \n\nYou can find and install Salem, AI cyber analyst in the [Azure Marketplace](https%3A%2F%2Fazuremarketplace.microsoft.com%2Fen-us%2Fmarketplace%2Fapps%2Fsaleminc1627928803559.salemcyber%3Ftab%3DOverview)",
+  "Workbooks": ["Solutions/SalemCyber/Workbooks/SalemDashboard.json"],
+
+  "WorkbookBladeDescription": "This Microsoft Sentinel Integration installs workbooks to help visualize Salem alert analysis",
+  "Analytic Rules": [],
+  "Playbooks": ["Solutions/SalemCyber/Playbooks/SendAlertToSalem/azuredeploy.json"],
+
+  "PlaybooksBladeDescription": "This Microsoft Sentinel Integration installs a playbook that allows Microsoft Sentinel alerts to be sent to Salem for investigation",
+  "Parsers": [],
+  "SavedSearches": [],
+  "Hunting Queries": [],
+  "HuntingQueryBladeDescription": "",
+  "Data Connectors": [],
+  "Watchlists": [],
+  "WatchlistDescription": [],
+  "BasePath": "C:\\Users\\jonwb\\github\\Azure-Sentinel",
+  "Version": "3.0.0",
+  "Metadata": "SolutionMetadata.json",
+  "TemplateSpec": true,
+  "Is1PConnector": false
+}
diff --git a/Solutions/SalemCyber/Package/3.0.0.zip b/Solutions/SalemCyber/Package/3.0.0.zip
diff --git a/Solutions/SalemCyber/Package/createUiDefinition.json b/Solutions/SalemCyber/Package/createUiDefinition.json
@@ -0,0 +1,131 @@
+{
+  "$schema": "https://schema.management.azure.com/schemas/0.1.2-preview/CreateUIDefinition.MultiVm.json#",
+  "handler": "Microsoft.Azure.CreateUIDef",
+  "version": "0.1.2-preview",
+  "parameters": {
+    "config": {
+      "isWizard": false,
+      "basics": {
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/salem_logo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \r \n • Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SalemCyber/ReleaseNotes.md)\r \n _There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing._\n\nSalem, [AI Cyber analyst](https://salemcyber.com), **automatically investigates** Microsoft Sentinel alerts and escalates validated threats that require your attention. \n\nThis Microsoft Sentinel integration allows you to send new Microsoft Sentinel alerts to Salem for analysis and reporting.\n\n**Why Salem?** \n\nMost alerts are false positives. Salem automatically triages noisy cyber alerts to find a small number of threats that require your attention. \n\nSalem scales the impact of your cyber team by helping you respond well 24/7 to a wide range of security threats. \n\nSalem's AI learns from your team and customizes its analysis to your cyber relevant business context. \n\n**Get Started with Salem** \n\nYou can find and install Salem, AI cyber analyst in the [Azure Marketplace](https%3A%2F%2Fazuremarketplace.microsoft.com%2Fen-us%2Fmarketplace%2Fapps%2Fsaleminc1627928803559.salemcyber%3Ftab%3DOverview)\n\n**Workbooks:** 1, **Playbooks:** 1\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "subscription": {
+          "resourceProviders": [
+            "Microsoft.OperationsManagement/solutions",
+            "Microsoft.OperationalInsights/workspaces/providers/alertRules",
+            "Microsoft.Insights/workbooks",
+            "Microsoft.Logic/workflows"
+          ]
+        },
+        "location": {
+          "metadata": {
+            "hidden": "Hiding location, we get it from the log analytics workspace"
+          },
+          "visible": false
+        },
+        "resourceGroup": {
+          "allowExisting": true
+        }
+      }
+    },
+    "basics": [
+      {
+        "name": "getLAWorkspace",
+        "type": "Microsoft.Solutions.ArmApiControl",
+        "toolTip": "This filters by workspaces that exist in the Resource Group selected",
+        "condition": "[greater(length(resourceGroup().name),0)]",
+        "request": {
+          "method": "GET",
+          "path": "[concat(subscription().id,'/providers/Microsoft.OperationalInsights/workspaces?api-version=2020-08-01')]"
+        }
+      },
+      {
+        "name": "workspace",
+        "type": "Microsoft.Common.DropDown",
+        "label": "Workspace",
+        "placeholder": "Select a workspace",
+        "toolTip": "This dropdown will list only workspace that exists in the Resource Group selected",
+        "constraints": {
+          "allowedValues": "[map(filter(basics('getLAWorkspace').value, (filter) => contains(toLower(filter.id), toLower(resourceGroup().name))), (item) => parse(concat('{\"label\":\"', item.name, '\",\"value\":\"', item.name, '\"}')))]",
+          "required": true
+        },
+        "visible": true
+      }
+    ],
+    "steps": [
+      {
+        "name": "workbooks",
+        "label": "Workbooks",
+        "subLabel": {
+          "preValidation": "Configure the workbooks",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Workbooks",
+        "elements": [
+          {
+            "name": "workbooks-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Microsoft Sentinel Integration installs workbooks to help visualize Salem alert analysis"
+            }
+          },
+          {
+            "name": "workbooks-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-monitor-your-data"
+              }
+            }
+          },
+          {
+            "name": "workbook1",
+            "type": "Microsoft.Common.Section",
+            "label": "Salem Alerts Workbook",
+            "elements": [
+              {
+                "name": "workbook1-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Monitor Salem Performance"
+                }
+              }
+            ]
+          }
+        ]
+      },
+      {
+        "name": "playbooks",
+        "label": "Playbooks",
+        "subLabel": {
+          "preValidation": "Configure the playbooks",
+          "postValidation": "Done"
+        },
+        "bladeTitle": "Playbooks",
+        "elements": [
+          {
+            "name": "playbooks-text",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "text": "This Microsoft Sentinel Integration installs a playbook that allows Microsoft Sentinel alerts to be sent to Salem for investigation"
+            }
+          },
+          {
+            "name": "playbooks-link",
+            "type": "Microsoft.Common.TextBlock",
+            "options": {
+              "link": {
+                "label": "Learn more",
+                "uri": "https://docs.microsoft.com/azure/sentinel/tutorial-respond-threats-playbook?WT.mc_id=Portal-Microsoft_Azure_CreateUIDef"
+              }
+            }
+          }
+        ]
+      }
+    ],
+    "outputs": {
+      "workspace-location": "[first(map(filter(basics('getLAWorkspace').value, (filter) => and(contains(toLower(filter.id), toLower(resourceGroup().name)),equals(filter.name,basics('workspace')))), (item) => item.location))]",
+      "location": "[location()]",
+      "workspace": "[basics('workspace')]"
+    }
+  }
+}