-
Notifications
You must be signed in to change notification settings - Fork 138
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
b961a62
commit 4c8ca0b
Showing
3 changed files
with
120 additions
and
0 deletions.
There are no files selected for viewing
18 changes: 18 additions & 0 deletions
18
Plugins/Community Based Plugins/Sentinel-SOC-Optimization-CustomPlugin/README.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,18 @@ | ||
| # Copilot for Security Custom Plugin - SOC Optimization in Sentinel | ||
|
|
||
| SOC Optimization is a feature of Microsoft Sentinel that provides the recommendations for optimal data utilization and attack detection. | ||
| This custom plugin connects to Azure REST APIs to get the details of all the recommendations delivered by SOC Optimization. | ||
|
|
||
| ### Prerequisites: | ||
| * This plugin is useful when you have a Microsoft Sentinel workspace | ||
|
|
||
| ### Note: | ||
| The code in this custom plugin is also an example on how to query, from Copilot for Security, any Azure REST API. Implement the same strategy to develop custom plugins that gather comprehensive information about any Azure component (like Log Analytics, VMs, etc.) that you think would be beneficial for your Copilot for Security users in their investigations and promptbooks. | ||
|
|
||
| ### Instructions: | ||
| 1. Download the "manfiest" YAML file in this folder. Save it locally | ||
| 3. Add the custom plugin in Copilot for Security by uploading the manfiest YAML file (see [Manage plugins in Microsoft Copilot for Security](https://learn.microsoft.com/en-us/copilot/security/manage-plugins?tabs=securitycopilotplugin)) | ||
|
|
||
| ### References: | ||
| * [SOC optimization - unlock the power of precision-driven security management](https://techcommunity.microsoft.com/t5/microsoft-sentinel-blog/soc-optimization-unlock-the-power-of-precision-driven-security/ba-p/4130589) | ||
| * [Azure REST API reference](https://learn.microsoft.com/en-us/rest/api/azure/) |
32 changes: 32 additions & 0 deletions
32
...unity Based Plugins/Sentinel-SOC-Optimization-CustomPlugin/SOC-Optimization-Manifest.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,32 @@ | ||
| Descriptor: | ||
| Name: SOC Optimization for Microsoft Sentinel | ||
| DisplayName: SOC Optimization for Microsoft Sentinel (Community release) | ||
| Description: SOC Optimization is a feature of Microsoft Sentinel that provides the recommendations for optimal data utilization and attack detection. | ||
| DescriptionForModel: SOC Optimization is a feature of Microsoft Sentinel that provides three kind of recommendations. | ||
| Firstly, it provides daily adaptive strategies for optimal data utilization and attack detection. | ||
| Secondly, it provides actionable insights into data usage patterns for threat protection and cost optimization. | ||
| Lastly, it provides threat-based recommendations using the MITRE ATT&CK framework. | ||
| The following are examples of recommendations provided by SOC Optimization | ||
| Low usage of <table_name> table (Table <table_name> wasn't queried in the last 30 days) | ||
| Coverage improvement against AiTM (Adversary in the Middle) | ||
| Coverage improvement against BEC (Financial Fraud) | ||
| Coverage improvement against ERP (SAP) Financial Process Manipulation | ||
| Coverage improvement against BEC (Mass Credential Harvest) | ||
| Coverage improvement against Human Operated Ransomware | ||
| Coverage improvement against IaaS Resource Theft | ||
| Settings: | ||
| - Name: SentinelApiUrl | ||
| Label: Microsoft Sentinel APIs URL | ||
| Description: ATTENTION! In the URL below, be sure to replace the placehoders SUBSCRIPTION-ID, RESOURCE-GROUP-NAME and SENTINEL-WORKSPACE-NAME with their correct values in your environment. Do not change the rest of the URL. | ||
| HintText: ATTENTION! In the URL below, be sure to replace the placehoders SUBSCRIPTION-ID, RESOURCE-GROUP-NAME and SENTINEL-WORKSPACE-NAME with their correct values in your environment. Do not change the rest of the URL. | ||
| DefaultValue: https://management.azure.com/subscriptions/SUBSCRIPTION-ID/resourceGroups/RESOURCE-GROUP-NAME/providers/Microsoft.OperationalInsights/workspaces/SENTINEL-WORKSPACE-NAME/providers/Microsoft.SecurityInsights | ||
| SettingType: String | ||
| Required: true | ||
| Authorization: | ||
| Type: AADDelegated | ||
| EntraScopes: https://management.azure.com/user_impersonation | ||
| SkillGroups: | ||
| - Format: API | ||
| Settings: | ||
| OpenApiSpecUrl: https://raw.githubusercontent.com/stefanpems/cfs/main/Sentinel-SOC-Optimization-CustomPlugin/SOC-Optimization-Specification.yaml | ||
| EndpointUrlSettingName: SentinelApiUrl |
70 changes: 70 additions & 0 deletions
70
... Based Plugins/Sentinel-SOC-Optimization-CustomPlugin/SOC-Optimization-Specification.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| openapi: 3.0.0 | ||
|
|
||
| info: | ||
| title: Sentinel SOC Optimization | ||
| description: Skills to retrieve the recommendations provided by the "SOC Optimization" feature in Microsoft Sentinel. | ||
| version: "0.0.1" | ||
|
|
||
| paths: | ||
| /recommendations?api-version=2024-01-01-preview: | ||
| get: | ||
| operationId: GetSentinelSOCOptimizationRecommendations | ||
| summary: Gets a list of all recommendations made available by the "SOC Optimization" experience in Microsoft Sentinel. | ||
|
|
||
| There are two types of recommendations. | ||
|
|
||
| The recommedations of type "Precision_Coverage" are focused on the improvement of the coverage on threat detection against a | ||
| specific threat or attack. The coverage refers to the quantity of defenses established in Sentinel to counteract that threat. | ||
| These defenses are usually artifacts, such as analytic rules, threat hunting queries, notebooks, workbooks, and so on, | ||
| which can be identified as "solutions" in the Sentinel's Content Hub or can be created as custom solutions. | ||
| The possibility to install and use these solutions depends on the availability of the data sources they refer to. | ||
|
|
||
| The recommedations categorized as "Precision_DataValue" are aimed at enhancing the utilization of data that has been | ||
| ingested into a particular table in the Log Analytics workspace, which serves as storage for the Sentinel workspace. | ||
|
|
||
| For each of the returned recommendations, the response include its type and a set of suggestions. Each suggestion related to | ||
| a specific recommendation may include "additional properties". The list of these properties depends on the type of the | ||
| related parent recommendation. | ||
|
|
||
| Suggestions related to recommendations of type "Precision_Coverage" inlude | ||
|
|
||
| the list of "TemplateIds" (IDs of the artifacts that can be found in the Microsoft Sentinel Content Hub and that, if adopted, | ||
| could help for improving the coverage against the considered threat), | ||
|
|
||
| the list of "Tactics" (including the MITRE ATT&CK Tactics and Techniques involved in the threat considered by the analyzed coverage), | ||
|
|
||
| the list of "CoverageEntities" (including a list of artifacts, which are Templates in the Content Hub in Sentinel, - described in | ||
| terms of Identifier Id and Name plus MITRE ATT&CK Tactics and Techniques), | ||
|
|
||
| the list of "DataSources" (representing the names of the tables in Log Analytics that inlcude data that may be useful to improve | ||
| the coverage) | ||
|
|
||
| and the list of "ConnectorIds" (representing the names of the connectors that can be found in the Content Hub in Sentinel and | ||
| that, if activated, could ingest data that may be useful to improve that coverage) | ||
|
|
||
| Suggestions related to recommendations of type "Precision_DataValue" inlude the list of of "TemplateIds" (IDs of the solutions, that | ||
| can be found in the Microsoft Sentinel Content Hub, containing artifacts that can use the data collected in the considered table) | ||
|
|
||
| responses: | ||
| 200: | ||
| description: Successful authentication. | ||
| 401: | ||
| description: Unsuccessful authentication. | ||
|
|
||
|
|
||
| /contentPackages?api-version=2024-01-01-preview: | ||
| get: | ||
| operationId: GetSentinelContentHubInstalledPackages | ||
| summary: Gets a list of all the "packages" (a.k.a. "solutions") available in the Content Hub in Microsoft Sentinel | ||
| and already installed in the referenced Sentinel workspace. | ||
|
|
||
| The result for each package includes a list of "dependecies" which are basically the artifacts included in the | ||
| solution (analytic rules, threat hunting queries, notebooks, workbooks,...) | ||
|
|
||
| responses: | ||
| 200: | ||
| description: Successful authentication. | ||
| 401: | ||
| description: Unsuccessful authentication. | ||
|
|
||
|
|