Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

MailGuard 365 Sentinel Solution #7992

Merged
merged 24 commits into from
Sep 7, 2023
Merged

MailGuard 365 Sentinel Solution #7992

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
24 commits
Select commit Hold shift + click to select a range
79cdf44
Initial Commit for MailGuard 365 Sentinel Solution
prathikc May 9, 2023
f30c31c
Updated templates, resolved failed tests.
prathikc May 9, 2023
90970c9
Resolved more validation issues.
prathikc May 9, 2023
5fdfd95
Updated logo and added table schema.
prathikc May 9, 2023
084a880
Update UUID to GUID in logo
prathikc May 9, 2023
339c85a
Resized Logo and fixed validation issues
prathikc May 9, 2023
97ec1b3
Fixed xlink:href tag in logo
prathikc May 9, 2023
3d0c22a
Updates to address review comments
prathikc Jun 2, 2023
43f6676
Added Sample Data
prathikc Jun 9, 2023
2a47ba1
Repackaging solution to V2
prathikc Jun 9, 2023
5bf01b8
Fixed json error
prathikc Jun 9, 2023
16fd2cc
Fixing validation errors
prathikc Jun 9, 2023
1b8c9f8
Fixed repeated word
prathikc Jun 9, 2023
30c3dd3
Fixed ARM TTM validation
prathikc Jun 9, 2023
3d7ceb0
added workbook version and content id
prathikc Jun 27, 2023
cdcff8f
Merge branch 'Azure:master' into mailguard365-1
prathikc Aug 3, 2023
5df908f
Merge branch 'Azure:master' into mailguard365-1
prathikc Aug 29, 2023
bcc30e3
Merge branch 'Azure:master' into mailguard365-1
prathikc Aug 31, 2023
aa1b182
Updated to V3
prathikc Aug 31, 2023
6628486
Added release notes
prathikc Aug 31, 2023
46c71a9
Resolved conflict with workbook metadata
prathikc Aug 31, 2023
ae71a53
Fixed typo
prathikc Sep 4, 2023
c1bb12c
Repackaged solution
prathikc Sep 4, 2023
dc665ca
Minor changes
prathikc Sep 5, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
133 changes: 133 additions & 0 deletions .script/tests/KqlvalidationsTests/CustomTables/MailGuard365_Threats_CL.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,133 @@
{
"Name": "MailGuard365_Threats_CL",
"Properties": [
{
"Name": "TenantId",
"Type": "String"
},
{
"Name": "SourceSystem",
"Type": "String"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "MessageId_s",
"Type": "String"
},
{
"Name": "HeaderMessageId_s",
"Type": "String"
},
{
"Name": "UserId_g",
"Type": "String"
},
{
"Name": "CustomerTenantId_g",
"Type": "String"
},
{
"Name": "Score_d",
"Type": "Real"
},
{
"Name": "Virus_b",
"Type": "Bool"
},
{
"Name": "Category",
devikamehra marked this conversation as resolved.
Show resolved Hide resolved
"Type": "String"
},
{
"Name": "Attachments_s",
"Type": "String"
},
{
"Name": "Sender_Email_s",
"Type": "Double"
},
{
"Name": "Sender_Domain_s",
"Type": "DateTime"
},
{
"Name": "Recipients_s",
"Type": "String"
},
{
"Name": "ReceivedHeaders_s",
"Type": "String"
},
{
"Name": "SenderHeader_s",
"Type": "String"
},
{
"Name": "ToHeader_s",
"Type": "Guid"
},
{
"Name": "CcHeader_s",
"Type": "String"
},
{
"Name": "Subject_s",
"Type": "String"
},
{
"Name": "OriginCountry_s",
"Type": "String"
},
{
"Name": "MessageDate_t",
"Type": "DateTime"
},
{
"Name": "MessageSize_d",
"Type": "Real"
},
{
"Name": "Action_s",
"Type": "String"
},
{
"Name": "ReceivedDateTime_d",
"Type": "Real"
},
{
"Name": "ForefrontAntiSpam_s",
"Type": "String"
},
{
"Name": "MicrosoftAntiSpam_s",
"Type": "String"
},
{
"Name": "IsInWhiteList_b",
"Type": "Bool"
},
{
"Name": "IsInBlackList_b",
"Type": "Bool"
},
{
"Name": "Email_s",
"Type": "String"
},
{
"Name": "HasAttachment_b",
"Type": "Bool"
},
{
"Name": "HasImage_b",
"Type": "Bool"
},
{
"Name": "Type",
"Type": "String"
}
]
}
1 change: 1 addition & 0 deletions Logos/MailGuard365_logo.svg
View file
Open in desktop
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
108 changes: 108 additions & 0 deletions Solutions/MailGuard 365/Data Connectors/MailGuard365.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,108 @@
{
"id": "MailGuard365",
"title": "MailGuard 365",
"publisher": "MailGuard365",
"descriptionMarkdown": "MailGuard 365 Enhanced Email Security for Microsoft 365. Exclusive to the Microsoft marketplace, MailGuard 365 is integrated with Microsoft 365 security (incl. Defender) for enhanced protection against advanced email threats like phishing, ransomware and sophisticated BEC attacks.",
"graphQueries": [
{
"metricName": "Total data received",
"legend": "MailGuard365_Threats_CL",
"baseQuery": "MailGuard365_Threats_CL"
}
],
"sampleQueries": [
{
"description" : "All phishing threats stopped by MailGuard 365",
"query": "MailGuard365_Threats_CL \n | where where Category == \"Phishing\""
Copy link
Contributor

@v-rbajaj v-rbajaj Jun 9, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please remove the extra "where" from the query, this should fix the failing KQL validation.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please do fix the ARM TTK validation as well.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thank you, I've fixed the KQL validation and the ARM TTK validation as well.

},
{
"description" : "All threats summarized by sender email address",
"query": "MailGuard365_Threats_CL \n | summarize count() by Sender_Email_s"
},
{
"description" : "All threats summarized by category",
"query": "MailGuard365_Threats_CL \n | summarize count() by Category"
}
],
"dataTypes": [
{
"name": "MailGuard365_Threats_CL",
"lastDataReceivedQuery": "MailGuard365_Threats_CL\n | summarize Time = max(TimeGenerated)\n | where isnotempty(Time)"
}
],
"connectivityCriterias": [
{
"type": "IsConnectedQuery",
"value": [
"MailGuard365_Threats_CL\n | summarize LastLogReceived = max(TimeGenerated)\n | project IsConnected = LastLogReceived > ago(30d)"
]
}
],
"availability": {
"status": 1,
"isPreview": false
},
"permissions": {
"resourceProvider": [
{
"provider": "Microsoft.OperationalInsights/workspaces",
"permissionsDisplayText": "read and write permissions are required.",
"providerDisplayName": "Workspace",
"scope": "Workspace",
"requiredPermissions": {
"write": true,
"read": true,
"delete": true
}
},
{
"provider": "Microsoft.OperationalInsights/workspaces/sharedKeys",
"permissionsDisplayText": "read permissions to shared keys for the workspace are required. [See the documentation to learn more about workspace keys](https://docs.microsoft.com/azure/azure-monitor/platform/agent-windows#obtain-workspace-id-and-key).",
"providerDisplayName": "Keys",
"scope": "Workspace",
"requiredPermissions": {
"action": true
}
}
]
},
"instructionSteps": [
{
"title": "Configure and connect MailGuard 365",
"description": "1. In the MailGuard 365 Console, click **Settings** on the navigation bar.\n2. Click the **Integrations** tab.\n3. Click the **Enable Microsoft Sentinel**.\n - Enter your workspace id and primary key from the fields below, click **Finish**.\n5. For additional instructions, please contact MailGuard 365 support.",
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @prathikc, the description needs to be fixed, there is a small problem with the numbering, please take a look at image below.
image

Please repackage the solution post fixing.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @v-rbajaj , that was a good catch! I have made the changes and re-packaged the solution.

"instructions": [
{
"parameters": {
"fillWith": [
"WorkspaceId"
],
"label": "Workspace ID"
},
"type": "CopyableLabel"
},
{
"parameters": {
"fillWith": [
"PrimaryKey"
],
"label": "Primary Key"
},
"type": "CopyableLabel"
}
]
}
],
"metadata": {
"id": "310bcb08-38be-4257-b4d5-035e1ae3f256",
"version": "1.0.0",
"kind": "dataConnector",
"author": {
"name": "MailGuard 365"
},
"support": {
"name": "MailGuard 365",
"link": "https://www.mailguard365.com/support",
"tier": "developer"
}
}
}
23 changes: 23 additions & 0 deletions Solutions/MailGuard 365/Hunting Queries/MailGuard365HighConfidenceThreats.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
id: 5e3aa1a5-5b69-421e-a3ac-32b04cb10353
name: MailGuard 365 - High Confidence Threats
description: |
'Query searches for high confidence threats stopped by MailGuard 365.'
severity: Medium
requiredDataConnectors:
- connectorId: MailGuard365
dataTypes:
- MailGuard365
tactics:
- Reconnaissance
relevantTechniques:
- T1598
query: |
MailGuard365_Threats_CL
| where Score_d > 20
devikamehra marked this conversation as resolved.
Show resolved Hide resolved
entityMappings:
- entityType: Mail message
fieldMappings:
- identifier: NetworkMessageId
columnName: MessageId_s
- identifier: Recipient
columnName: Email_s
29 changes: 29 additions & 0 deletions Solutions/MailGuard 365/Hunting Queries/MailGuard365MalwareThreats.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,29 @@
id: daaae6ad-1fd0-4efa-b571-116689e67a20
name: MailGuard 365 - Malware Threats
description: |
'Query searches for malware threats stopped by MailGuard 365.'
severity: High
requiredDataConnectors:
- connectorId: MailGuard365
dataTypes:
- MailGuard365
tactics:
- InitialAccess
- Reconnaissance
relevantTechniques:
- T1592
- T1589
- T1590
- T1591
- T1189
- T1190
query: |
MailGuard365_Threats_CL
| where Category == "Malicious Documents"
entityMappings:
- entityType: Mail message
fieldMappings:
- identifier: NetworkMessageId
columnName: MessageId_s
- identifier: Recipient
columnName: Email_s
26 changes: 26 additions & 0 deletions Solutions/MailGuard 365/Hunting Queries/MailGuard365PhishingThreats.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
id: ee15ed10-d355-474e-b8ad-a8bbb76f6d38
name: MailGuard 365 - Phishing Threats
description: |
'Query searches for phishing threats stopped by MailGuard 365.'
severity: Medium
requiredDataConnectors:
- connectorId: MailGuard365
dataTypes:
- MailGuard365
tactics:
- InitialAccess
- Reconnaissance
- Credential Access
relevantTechniques:
- T1598
- T1566
query: |
MailGuard365_Threats_CL
| where Category == "Phishing"
entityMappings:
- entityType: Mail message
fieldMappings:
- identifier: NetworkMessageId
columnName: MessageId_s
- identifier: Recipient
columnName: Email_s
Loading