Merge pull request #11220 from illumio-shield/illumio-sentinel-m2-mor…

…e-analytic-rules Added more analytic rules, modified existing queries, changed alerttype
Azure · Oct 14, 2024 · fd82373 · fd82373
2 parents 3b75b99 + 3c609bc
commit fd82373
Show file tree

Hide file tree

Showing 10 changed files with 645 additions and 68 deletions.
diff --git a/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Clone_Detection_Query.yaml b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Clone_Detection_Query.yaml
@@ -0,0 +1,37 @@
+id: b3c4b8f4-c12c-471e-9999-023c05852276
+name: Illumio VEN Clone Detection Rule
+description: |
+  'Create Microsoft Sentinel Incident When A Cloned Ven Is Detected'
+severity: High
+status: Available
+requiredDataConnectors: 
+  - connectorId: IllumioSaaSDataConnector
+    dataTypes:
+      - Illumio_Auditable_Events_CL
+queryFrequency: 60m
+queryPeriod: 60m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+- DefenseEvasion
+relevantTechniques:
+- T1562
+query: |
+  Illumio_Auditable_Events_CL
+  | where event_type has 'agent.clone_detected'
+  | extend hostname = created_by.agent.hostname,
+          ven_href = created_by.ven.href
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: hostname
+alertDetailsOverride:
+  alertDisplayNameFormat: | 
+    Illumio VEN Clone Detection Incident for {{hostname}}
+  alertDescriptionFormat: | 
+    Illumio VEN Clone Detection for {{hostname}} generated at {{TimeGenerated}}
+version: 1.0.5
+kind: Scheduled
diff --git a/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Deactivated_Query.yaml b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Deactivated_Query.yaml
@@ -0,0 +1,46 @@
+id: c18bd8c2-50f0-4aa2-8122-d449243627d7
+name: Illumio VEN Deactivated Detection Rule
+description: |
+  'Create Microsoft Sentinel Incident When Ven Goes Into Deactivated state'
+severity: High
+status: Available
+requiredDataConnectors: 
+  - connectorId: IllumioSaaSDataConnector
+    dataTypes:
+      - Illumio_Auditable_Events_CL
+queryFrequency: 60m
+queryPeriod: 60m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+- DefenseEvasion
+relevantTechniques:
+- T1562
+query: |
+  Illumio_Auditable_Events_CL
+  | where event_type has 'agent.deactivate'
+  | mv-expand resource_changes
+  | extend hostname = resource_changes['resource']['workload']['hostname'],
+      workload_href = resource_changes['resource']['workload']['href'],
+      workload_labels = resource_changes['resource']['workload']['labels']
+  | extend ipaddress = action.src_ip,       
+        ven_href = created_by.ven.href
+  | project-away resource_changes, action, version 
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: hostname
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ipaddress            
+alertDetailsOverride:
+  alertDisplayNameFormat: | 
+    Illumio VEN Deactivated Incident for {{hostname}}
+  alertDescriptionFormat: | 
+    Illumio VEN Deactivated Incident for {{hostname}} generated at {{TimeGenerated}}
+version: 1.0.5
+kind: Scheduled
diff --git a/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Enforcement_Change_Detection_Query.yaml b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Enforcement_Change_Detection_Query.yaml
@@ -18,19 +18,20 @@ relevantTechniques:
 - T1562
 query: |
   let enf_state = dynamic(["full", "selective"]);
-  let visibility_state = dynamic(["visibility", "idle"]);
+  let visibility_state = dynamic(["visibility_only", "idle"]);
   Illumio_Auditable_Events_CL
   | extend temp_resource_changes = parse_json(resource_changes)[0]
   | where event_type == 'workloads.update' 
   | extend old_mode = temp_resource_changes.changes.enforcement_mode.before,
           new_mode = temp_resource_changes.changes.enforcement_mode.after,
           workload_href = temp_resource_changes.resource.workload.href,
-          workload_name = temp_resource_changes.resource.workload.hostname
+          workload_name = temp_resource_changes.resource.workload.hostname,
+          ipaddress = action.src_ip
   | where new_mode in (visibility_state) and old_mode in (enf_state)
   | project-away temp_*
-  | project old_mode, new_mode, workload_href, workload_name, TimeGenerated, created_by
+  | project old_mode, new_mode, workload_href, workload_name, TimeGenerated, created_by, ipaddress
 eventGroupingSettings:
-  aggregationKind: AlertPerResult
+  aggregationKind: SingleAlert
 entityMappings:
   - entityType: Host
     fieldMappings:
@@ -39,11 +40,15 @@ entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: Name
-        columnName: created_by          
+        columnName: created_by
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ipaddress                  
 alertDetailsOverride:
   alertDisplayNameFormat: | 
-    Illumio Enforcement Change Incident: {{IncidentId}}
+    Illumio Enforcement Change Incident for {{workload_name}}
   alertDescriptionFormat: | 
-    Illumio Enforcement Change Incident {{IncidentId}} generated at {{TimeGenerated}}
-version: 1.0.5
+    Illumio Enforcement Change Incident for {{workload_name}} generated at {{TimeGenerated}}
+version: 1.0.6
 kind: Scheduled
diff --git a/...o_Firewall_Tampering_Detection_Query.yaml → ...N_Firewall_Tampering_Detection_Query.yaml b/...o_Firewall_Tampering_Detection_Query.yaml → ...N_Firewall_Tampering_Detection_Query.yaml
@@ -17,23 +17,27 @@ tactics:
 relevantTechniques:
 - T1562
 query: |
-  Illumio_Auditable_Events_CL
+ Illumio_Auditable_Events_CL
   | where event_type has 'tampering'
+  | extend ipaddress = action.src_ip,
+            hostname = created_by.agent.hostname,
+            ven_href = created_by.ven.href
+  | project-away resource_changes, action, version
 eventGroupingSettings:
-  aggregationKind: AlertPerResult
+  aggregationKind: SingleAlert
 entityMappings:
   - entityType: Host
     fieldMappings:
       - identifier: HostName
-        columnName: created_by
+        columnName: hostname
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: action          
+        columnName: ipaddress          
 alertDetailsOverride:
   alertDisplayNameFormat: | 
-    Illumio Firewall Tamper Incident: {{IncidentId}}
+    Illumio Firewall Tamper Incident for {{hostname}}
   alertDescriptionFormat: | 
-    Illumio Firewall Tamper Incident {{IncidentId}} generated at {{TimeGenerated}}
-version: 1.0.5
+    Illumio Firewall Tamper Incident for {{hostname}} generated at {{TimeGenerated}}
+version: 1.0.6
 kind: Scheduled
diff --git a/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml
@@ -17,19 +17,24 @@ tactics:
 relevantTechniques:
 - T1562
 query: |
-  Illumio_Auditable_Events_CL
-  | where event_type has 'agent_offline_check'
+    Illumio_Auditable_Events_CL
+    | where event_type has 'agent_offline_check'
+    | mv-expand resource_changes
+    | extend hostname = resource_changes['resource']['workload']['hostname'],
+        workload_href = resource_changes['resource']['workload']['href'],
+        workload_labels = resource_changes['resource']['workload']['labels']
+    | project-away resource_changes, version, notifications, action, severity, status // action field will have filtered ip addr, so no point of using IP entity
 eventGroupingSettings:
-  aggregationKind: AlertPerResult
+  aggregationKind: SingleAlert
 entityMappings:
   - entityType: Host
     fieldMappings:
       - identifier: HostName
-        columnName: resource_changes
+        columnName: hostname     
 alertDetailsOverride:
   alertDisplayNameFormat: | 
-    Illumio VEN Offline Incident: {{IncidentId}}
+    Illumio VEN Offline Incident for {{hostname}}
   alertDescriptionFormat: | 
-    Illumio VEN Offline Incident {{IncidentId}} generated at {{TimeGenerated}}
-version: 1.0.5
+    Illumio VEN Offline Incident for {{hostname}} generated at {{TimeGenerated}}
+version: 1.0.6
 kind: Scheduled
diff --git a/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Suspend_Query.yaml b/Solutions/IllumioSaaS/Analytic Rules/Illumio_VEN_Suspend_Query.yaml
@@ -0,0 +1,42 @@
+id: 7379f752-18a2-43ca-8b74-70747dd792f8
+name: Illumio VEN Suspend Detection Rule
+description: |
+  'Create Microsoft Sentinel Incident When Ven Goes Into Suspended state'
+severity: High
+status: Available
+requiredDataConnectors: 
+  - connectorId: IllumioSaaSDataConnector
+    dataTypes:
+      - Illumio_Auditable_Events_CL
+queryFrequency: 60m
+queryPeriod: 60m
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+- DefenseEvasion
+relevantTechniques:
+- T1562
+query: |
+  Illumio_Auditable_Events_CL
+  | where event_type has 'agent.suspend'
+  | extend ipaddress = action.src_ip,
+        hostname = created_by.agent.hostname
+  | project-away resource_changes, action, version        
+eventGroupingSettings:
+  aggregationKind: SingleAlert
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: hostname
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: ipaddress        
+alertDetailsOverride:
+  alertDisplayNameFormat: | 
+    Illumio VEN Suspended Incident for {{hostname}}
+  alertDescriptionFormat: | 
+    Illumio VEN Suspended Incident for {{hostname}} generated at {{TimeGenerated}}
+version: 1.0.5
+kind: Scheduled
diff --git a/Solutions/IllumioSaaS/Package/3.2.0.zip b/Solutions/IllumioSaaS/Package/3.2.0.zip
diff --git a/Solutions/IllumioSaaS/Package/createUiDefinition.json b/Solutions/IllumioSaaS/Package/createUiDefinition.json
@@ -6,7 +6,7 @@
     "config": {
       "isWizard": false,
       "basics": {
-        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/IllumioLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[IllumioSaaS](https://www.illumio.com/) solution provides ability to ingest auditable and flow events from AWS S3 bucket.\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 3\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
+        "description": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Logos/IllumioLogo.svg\" width=\"75px\" height=\"75px\">\n\n**Note:** Please refer to the following before installing the solution: \n\n• Review the solution [Release Notes](https://github.com/Azure/Azure-Sentinel/tree/master/Solutions/IllumioSaaS/ReleaseNotes.md)\n\n • There may be [known issues](https://aka.ms/sentinelsolutionsknownissues) pertaining to this Solution, please refer to them before installing.\n\n[IllumioSaaS](https://www.illumio.com/) solution provides ability to ingest auditable and flow events from AWS S3 bucket.\n\n**Data Connectors:** 1, **Workbooks:** 3, **Analytic Rules:** 6\n\n[Learn more about Microsoft Sentinel](https://aka.ms/azuresentinel) | [Learn more about Solutions](https://aka.ms/azuresentinelsolutionsdoc)",
         "subscription": {
           "resourceProviders": [
             "Microsoft.OperationsManagement/solutions",
@@ -212,6 +212,48 @@
                 }
               }
             ]
+          },
+          {
+            "name": "analytic4",
+            "type": "Microsoft.Common.Section",
+            "label": "Illumio VEN Clone Detection Rule",
+            "elements": [
+              {
+                "name": "analytic4-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Create Microsoft Sentinel Incident When A Cloned Ven Is Detected"
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic5",
+            "type": "Microsoft.Common.Section",
+            "label": "Illumio VEN Deactivated Detection Rule",
+            "elements": [
+              {
+                "name": "analytic5-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Create Microsoft Sentinel Incident When Ven Goes Into Deactivated state"
+                }
+              }
+            ]
+          },
+          {
+            "name": "analytic6",
+            "type": "Microsoft.Common.Section",
+            "label": "Illumio VEN Suspend Detection Rule",
+            "elements": [
+              {
+                "name": "analytic6-text",
+                "type": "Microsoft.Common.TextBlock",
+                "options": {
+                  "text": "Create Microsoft Sentinel Incident When Ven Goes Into Suspended state"
+                }
+              }
+            ]
           }
         ]
       }

diff --git a/Solutions/IllumioSaaS/Package/mainTemplate.json b/Solutions/IllumioSaaS/Package/mainTemplate.json
diff --git a/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json b/Solutions/IllumioSaaS/data/Solution_IllumioSaaS.json
@@ -12,9 +12,12 @@
         "Workbooks/IllumioWorkloadsStats.json"
     ],
     "Analytic Rules": [
-        "Analytic Rules/Illumio_Firewall_Tampering_Detection_Query.yaml",
+        "Analytic Rules/Illumio_VEN_Firewall_Tampering_Detection_Query.yaml",
         "Analytic Rules/Illumio_VEN_Enforcement_Change_Detection_Query.yaml",
-        "Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml"
+        "Analytic Rules/Illumio_VEN_Offline_Detection_Query.yaml",
+        "Analytic Rules/Illumio_VEN_Clone_Detection_Query.yaml",
+        "Analytic Rules/Illumio_VEN_Deactivated_Query.yaml",
+        "Analytic Rules/Illumio_VEN_Suspend_Query.yaml"
     ],    
     "BasePath": "C:\\GitHub\\Azure-Sentinel\\Solutions\\IllumioSaaS",
     "Version": "3.2.0",