SpyCloud Enterprise Protection Initial Commit

.script/tests/KqlvalidationsTests/CustomTables/SpyCloudBreachDataWatchlist.json

@@ -0,0 +1,77 @@
+{
+  "Name": "SpyCloudBreachDataWatchlist_CL",
+  "Properties": [
+    {
+      "Name": "Document_Id_g",
+      "Type": "String"
+    },
+    {
+      "Name": "Domain_s",
+      "Type": "String"
+    },
+    {
+      "Name": "Email_s",
+      "Type": "String"
+    },
+    {
+      "Name": "IP_Address_s",
+      "Type": "String"
+    },
+    {
+      "Name": "Infected_Machine_Id",
+      "Type": "String"
+    },
+    {
+      "Name": "Infected_Path_s",
+      "Type": "String"
+    },
+    {
+      "Name": "Infected_Time_t",
+      "Type": "DateTime"
+    },
+    {
+      "Name": "Password_s",
+      "Type": "String"
+    },
+    {
+      "Name": "Password_Plaintext_s",
+      "Type": "String"
+    },
+    {
+      "Name": "Severity_s",
+      "Type": "String"
+    },
+    {
+      "Name": "Source_Id_s",
+      "Type": "String"
+    },
+    {
+      "Name": "SpyCloud_Publish_Date_t",
+      "Type": "DateTime"
+    },
+    {
+      "Name": "Target_Domain_s",
+      "Type": "String"
+    },
+    {
+      "Name": "Target_SubDomain_s",
+      "Type": "String"
+    },
+    {
+      "Name": "Target_URL_s",
+      "Type": "String"
+    },
+    {
+      "Name": "User_Hostname_s",
+      "Type": "String"
+    },
+    {
+      "Name": "User_OS_s",
+      "Type": "String"
+    },
+    {
+      "Name": "Username_s",
+      "Type": "String"
+    }
+  ]
+}

Sample Data/Custom/SpyCloudBreachDataWatchlist_CL.json

@@ -0,0 +1,81 @@
+[{
+        "Document_Id": "a888d0f7-5688-471e-8230-8fd5ab903289",
+        "Domain": "example.net",
+        "Email": "sanitized@sanitized.com",
+        "IP_Address": "82.66.91.250",
+        "Infected_Machine_Id": "833ca19e-bb6e-4b42-867c-d4da26f5e47e",
+        "Infected_Path": "C:\\Users\\Pc\\AppData\\Local\\Temp\\Rar$EXb17664.13499\\Setup.exe",
+        "Infected_Time": "2022-05-26T00:19:15Z",
+        "Password": "password",
+        "Password_Plaintext": "password",
+        "Severity": "25",
+        "Source_Id": "45775",
+        "SpyCloud_Publish_Date": "2023-07-21T00:00:00Z",
+        "Target_Domain": "",
+        "Target_SubDomain": "",
+        "Target_URL": "127.0.0.1",
+        "User_Hostname": "DESKTOP-R9UHSL2",
+        "User_OS": "Windows 10 Pro [x64]",
+        "Username": ""
+    },
+    {
+        "Document_Id": "f4328f85-9d5d-4bdc-bd31-fb21844347eb",
+        "Domain": "example.net",
+        "Email": "sanitized@sanitized.com",
+        "IP_Address": "154.118.62.47",
+        "Infected_Machine_Id": "04a30194-1e78-4bbe-bbcf-927c5a7ff9a3",
+        "Infected_Path": "C:\\Windows\\SysWOW64\\explorer.exe",
+        "Infected_Time": "2021-11-10T21:52:27Z",
+        "Password": "password",
+        "Password_Plaintext": "password",
+        "Severity": "25",
+        "Source_Id": "45775",
+        "SpyCloud_Publish_Date": "2023-07-21T00:00:00Z",
+        "Target_Domain": "sidjisanggarrias.my.id",
+        "Target_SubDomain": "",
+        "Target_URL": "sidjisanggarrias.my.id",
+        "User_Hostname": "DESKTOP-I2737MG",
+        "User_OS": "Windows 10 Pro [x64]",
+        "Username": ""
+    },
+    {
+        "Document_Id": "62a47fd6-4c00-4e11-9ee1-d0d3f9b92d2a",
+        "Domain": "example.net",
+        "Email": "sanitized@sanitized.com",
+        "IP_Address": "41.199.16.142",
+        "Infected_Machine_Id": "40c31de2-d2ad-4f3b-9a7b-0506578cdd03",
+        "Infected_Path": "C:\\Users\\CHOICE COMPUTER\\Downloads\\pswd_9787_portable-setup\\Setup.exe",
+        "Infected_Time": "2023-01-27T21:50:06Z",
+        "Password": "Chancery1",
+        "Password_Plaintext": "Chancery1",
+        "Severity": "25",
+        "Source_Id": "45775",
+        "SpyCloud_Publish_Date": "2023-07-21T00:00:00Z",
+        "Target_Domain": "cytonn.com",
+        "Target_SubDomain": "stage.careers.cytonn.com",
+        "Target_URL": "stage.careers.cytonn.com",
+        "User_Hostname": "DESKTOP-R2LML9F",
+        "User_OS": "Windows 10 Pro [x64]",
+        "Username": ""
+    },
+    {
+        "Document_Id": "7720e6ec-ab63-441d-9b06-7551e45f8ca3",
+        "Domain": "example.net",
+        "Email": "sanitized@sanitized.com",
+        "IP_Address": "41.199.16.142",
+        "Infected_Machine_Id": "17ccfce3-b74f-4dbd-abd2-5f879caa7068",
+        "Infected_Path": "C:\\Windows\\SysWOW64\\explorer.exe",
+        "Infected_Time": "2021-02-11T01:45:46Z",
+        "Password": "password@admin$",
+        "Password_Plaintext": "password@admin$",
+        "Severity": "25",
+        "Source_Id": "45775",
+        "SpyCloud_Publish_Date": "2023-07-21T00:00:00Z",
+        "Target_Domain": "",
+        "Target_SubDomain": "",
+        "Target_URL": "127.0.0.1",
+        "User_Hostname": "DESKTOP-Q8BDVTN",
+        "User_OS": "Windows 10 Pro [x64]",
+        "Username": ""
+    }
+]

Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml

@@ -0,0 +1,52 @@
+id: cb410ad5-6e9d-4278-b963-1e3af205d680
+name: SpyCloud Enterprise Breach Detection
+description: |
+  'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'
+severity: High
+status: Available
+queryFrequency: 12h
+queryPeriod: 12h
+triggerOperator: gt
+triggerThreshold: 0
+suppressionDuration: 5h
+tactics: 
+  - CredentialAccess
+relevantTechniques:
+  - T1555
+query: |
+  SpyCloudBreachDataWatchlist_CL
+  | where Severity_s == '20'
+  | project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 12h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride: null
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: Email_s
+  - entityType: Account		
+    fieldMappings:
+      - identifier: Name
+        columnName: Username_s
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IP_Address_s
+customDetails:
+  Document_Id: Document_Id_g
+  Password: Password_s
+  Password_Plaintext: Password_Plaintext_s
+  Source_Id: Source_Id_s
+  Domain: Domain_s
+  PublishDate: SpyCloud_Publish_Date_t
+sentinelEntitiesMappings: null
+version: 1.0.0
+kind: Scheduled

Solutions/SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml

@@ -0,0 +1,71 @@
+id: 7ba50f9e-2f94-462b-a54b-8642b8c041f5
+name: SpyCloud Enterprise Malware Detection
+description: |
+  'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'
+severity: High
+status: Available
+queryFrequency: 12h
+queryPeriod: 12h
+triggerOperator: gt
+triggerThreshold: 0
+suppressionDuration: 5h
+tactics: 
+  - CredentialAccess
+relevantTechniques:
+  - T1555
+query: |
+  SpyCloudBreachDataWatchlist_CL
+  | where Severity_s == '25'
+  | project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s
+incidentConfiguration:
+  createIncident: true
+  groupingConfiguration:
+    enabled: true
+    reopenClosedIncident: false
+    lookbackDuration: 12h
+    matchingMethod: AllEntities
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+alertDetailsOverride: null
+entityMappings:
+  - entityType: Host
+    fieldMappings:
+      - identifier: HostName
+        columnName: Infected_Machine_Id_g
+  - entityType: Host		
+    fieldMappings:
+      - identifier: HostName
+        columnName: User_Hostname_s
+  - entityType: Account		
+    fieldMappings:
+      - identifier: FullName
+        columnName: Email_s
+  - entityType: Account		
+    fieldMappings:
+      - identifier: Name
+        columnName: Username_s
+  - entityType: DNS		
+    fieldMappings:
+      - identifier: DomainName
+        columnName: Target_Domain_s
+  - entityType: DNS		
+    fieldMappings:
+      - identifier: DomainName
+        columnName: Target_SubDomain_s
+  - entityType: IP		
+    fieldMappings:
+      - identifier: Address
+        columnName: IP_Address_s
+customDetails:
+  Document_Id: Document_Id_g
+  Password: Password_s
+  Password_Plaintext: Password_Plaintext_s
+  Infected_Path: Infected_Path_s
+  Infected_Time: Infected_Time_t
+  Domain: Domain_s
+  Source_Id: Source_Id_s
+  PublishDate: SpyCloud_Publish_Date_t
+  User_Host_Name: User_Hostname_s
+sentinelEntitiesMappings: null
+version: 1.0.0
+kind: Scheduled

Solutions/SpyCloud Enterprise Protection/Data/Solution_Spycloud_Enterprise_Protection.json

@@ -0,0 +1,26 @@
+{
+    "Name": "SpyCloud Enterprise Protection",
+    "Author": "SpyCloud",
+    "Logo": "<img src=\"https://raw.githubusercontent.com/VukaHeavyIndustries/azure-sentinel/master/Logos/SpyCloud_Enterprise_Protection.svg\" width=\"75\" height=\"75\" >",
+    "Description": "Cybercriminals continue to utilize stolen corporate credentials as the number one technique for account takeover (ATO). In fact, the FBI estimated that this resulted in estimated losses totaling more than $2.7 billion in 2022. SpyCloud helps prevent account takeover and ransomware attacks by identifying exposed credentials related to a company’s domains, IP addresses and emails. Through this integration, breach and malware data from SpyCloud can be loaded into Sentinel.",
+    "Playbooks": [
+        "Playbooks/Custom Connector/azuredeploy.json",
+        "Playbooks/SpyCloud-Breach-Playbook/azuredeploy.json",
+        "Playbooks/SpyCloud-Get-Domain-Breach-Data-Playbook/azuredeploy.json",
+        "Playbooks/SpyCloud-Get-Email-Breach-Data-Playbook/azuredeploy.json",
+        "Playbooks/SpyCloud-Get-IP-Breach-Data-Playbook/azuredeploy.json",
+        "Playbooks/SpyCloud-Get-Password-Breach-Data-Playbook/azuredeploy.json",
+        "Playbooks/SpyCloud-Get-Username-Breach-Data-Playbook/azuredeploy.json",
+        "Playbooks/SpyCloud-Malware-Playbook/azuredeploy.json",
+        "Playbooks/SpyCloud-Monitor-Watchlist-Data/azuredeploy.json"
+    ],
+    "Analytic Rules": [
+        "Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml",
+        "Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml"
+    ],
+    "BasePath": "D:\\GitHub\\Azure-Sentinel\\Solutions\\SpyCloud Enterprise Protection",
+    "Version": "3.0.0",
+    "Metadata": "SolutionMetadata.json",
+    "TemplateSpec": true,
+    "Is1PConnector": false
+}