diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/CriticalCmdletsUsageDetection.yaml b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/CriticalCmdletsUsageDetection.yaml index 0da6d87b406..5224517bfea 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/CriticalCmdletsUsageDetection.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/CriticalCmdletsUsageDetection.yaml @@ -1,7 +1,7 @@ id: 5170c3c4-b8c9-485c-910d-a21d965ee181 name: VIP Mailbox manipulation description: | - 'Alert if an high important Cmdlet is executed on a VIP Mailbox as those Cmdlets can be used for data exfiltration or mailbox access.' + 'Alert if a cmdlet that can be translated to data exfiltration or mailbox access is executed on a VIP Mailbox.' requiredDataConnectors: - connectorId: ESI-ExchangeAdminAuditLogEvents dataTypes: @@ -47,5 +47,5 @@ entityMappings: fieldMappings: - identifier: Name columnName: Caller -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/ServerOrientedWithUserOrientedAdministration.yaml b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/ServerOrientedWithUserOrientedAdministration.yaml index 421fc9dd0e7..7f3c3b972df 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/ServerOrientedWithUserOrientedAdministration.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Analytic Rules/ServerOrientedWithUserOrientedAdministration.yaml @@ -1,7 +1,7 @@ id: 7bce901b-9bc8-4948-8dfc-8f68878092d5 name: Server Oriented Cmdlet And User Oriented Cmdlet used description: | - 'Detect if a server oriented Cmdlet and a user oriented cmdlet that are monitored are launched by a same user in a same server in a 10 minutes timeframe' + 'Detect if a server oriented cmdlet and a user oriented cmdlet that are monitored are launched by the same user in the same server within a 10 minutes timeframe' requiredDataConnectors: - connectorId: ESI-ExchangeAdminAuditLogEvents dataTypes: @@ -74,5 +74,5 @@ entityMappings: columnName: Caller - identifier: ObjectGuid columnName: TargetObject -version: 1.0.0 +version: 1.0.1 kind: Scheduled \ No newline at end of file diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.0.1.zip b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.0.1.zip new file mode 100644 index 00000000000..5ec6b7027be Binary files /dev/null and b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/3.0.1.zip differ diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/createUiDefinition.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/createUiDefinition.json index 1c8da416924..b11cfbb2982 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/createUiDefinition.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/createUiDefinition.json @@ -98,8 +98,8 @@ "text": "After installing the solution, configure and enable the data connector that’s most relevant to your Exchange environment by following guidance in Manage solution view." } }, -{ - "name": "dataconnectors-parser", + { +"name": "dataconnectors-parser", "type": "Microsoft.Common.Section", "label": "Parsers", "elements": [ @@ -159,7 +159,7 @@ "name": "workbook1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Required Data Connector: Exchange Security Insights On-Premises Collector" + "text": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Required Data Connector: Exchange Security Insights On-Premises Collector." } } ] @@ -173,7 +173,7 @@ "name": "workbook2-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Exchange Audit Event logs via Legacy Agent" + "text": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Exchange Audit Event logs via Legacy Agent." } } ] @@ -187,7 +187,7 @@ "name": "workbook3-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers. Required Data Connector: Exchange Audit Event logs via Legacy Agent" + "text": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers. Required Data Connector: Exchange Audit Event logs via Legacy Agent." } } ] @@ -201,7 +201,7 @@ "name": "workbook4-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector" + "text": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector." } } ] diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json index 61af501dc02..fad4a49c3df 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Package/mainTemplate.json @@ -65,7 +65,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Exchange Security - Exchange On-Premises", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-exchangesecurityinsights", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ESI-ExchangeAdminAuditLogEvents", @@ -100,7 +100,7 @@ "parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName2'))]", "_parserId2": "[variables('parserId2')]", "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId2'))))]", - "parserVersion2": "1.0.0", + "parserVersion2": "1.0.1", "parserContentId2": "ExchangeConfiguration-Parser", "_parserContentId2": "[variables('parserContentId2')]", "_parsercontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId2'),'-', variables('parserVersion2'))))]", @@ -109,42 +109,42 @@ "parserId3": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName3'))]", "_parserId3": "[variables('parserId3')]", "parserTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId3'))))]", - "parserVersion3": "1.0.0", + "parserVersion3": "1.0.1", "parserContentId3": "ExchangeEnvironmentList-Parser", "_parserContentId3": "[variables('parserContentId3')]", "_parsercontentProductId3": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId3'),'-', variables('parserVersion3'))))]", - "workbookVersion1": "1.0.0", + "workbookVersion1": "1.0.1", "workbookContentId1": "MicrosoftExchangeLeastPrivilegewithRBAC", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", - "workbookVersion2": "1.0.0", + "workbookVersion2": "1.0.1", "workbookContentId2": "MicrosoftExchangeSearchAdminAuditLog", "workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]", "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", "_workbookContentId2": "[variables('workbookContentId2')]", "_workbookcontentProductId2": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId2'),'-', variables('workbookVersion2'))))]", - "workbookVersion3": "1.0.0", + "workbookVersion3": "1.0.1", "workbookContentId3": "MicrosoftExchangeSecurityMonitoring", "workbookId3": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId3'))]", "workbookTemplateSpecName3": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId3'))))]", "_workbookContentId3": "[variables('workbookContentId3')]", "_workbookcontentProductId3": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId3'),'-', variables('workbookVersion3'))))]", - "workbookVersion4": "1.0.0", + "workbookVersion4": "1.0.1", "workbookContentId4": "MicrosoftExchangeSecurityReview", "workbookId4": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId4'))]", "workbookTemplateSpecName4": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId4'))))]", "_workbookContentId4": "[variables('workbookContentId4')]", "_workbookcontentProductId4": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId4'),'-', variables('workbookVersion4'))))]", - "analyticRuleVersion1": "1.0.0", + "analyticRuleVersion1": "1.0.1", "analyticRulecontentId1": "5170c3c4-b8c9-485c-910d-a21d965ee181", "_analyticRulecontentId1": "[variables('analyticRulecontentId1')]", "analyticRuleId1": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId1'))]", "analyticRuleTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-ar-',uniquestring(variables('_analyticRulecontentId1'))))]", "_analyticRulecontentProductId1": "[concat(take(variables('_solutionId'),50),'-','ar','-', uniqueString(concat(variables('_solutionId'),'-','AnalyticsRule','-',variables('_analyticRulecontentId1'),'-', variables('analyticRuleVersion1'))))]", - "analyticRuleVersion2": "1.0.0", + "analyticRuleVersion2": "1.0.1", "analyticRulecontentId2": "7bce901b-9bc8-4948-8dfc-8f68878092d5", "_analyticRulecontentId2": "[variables('analyticRulecontentId2')]", "analyticRuleId2": "[resourceId('Microsoft.SecurityInsights/AlertRuleTemplates', variables('analyticRulecontentId2'))]", @@ -162,7 +162,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.0.0", + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -1612,7 +1612,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.0.0", + "description": "Microsoft Exchange Security - Exchange On-Premises data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion2')]", @@ -2046,7 +2046,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeAdminAuditLogs Data Parser with template version 3.0.0", + "description": "ExchangeAdminAuditLogs Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion1')]", @@ -2176,7 +2176,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeConfiguration Data Parser with template version 3.0.0", + "description": "ExchangeConfiguration Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion2')]", @@ -2193,7 +2193,7 @@ "displayName": "Parser for ExchangeConfiguration", "category": "Microsoft Sentinel Parser", "functionAlias": "ExchangeConfiguration", - "query": "let _SpecificSectionList = split(SpecificSectionList,',');\nlet _configurationDate = iff(isnull(SpecificConfigurationDate) or isempty(SpecificConfigurationDate),\"lastdate\",tostring(SpecificConfigurationDate));\nlet _configurationEnv = split(iff(isnull(SpecificConfigurationEnv) or isempty(SpecificConfigurationEnv) or tolower(SpecificConfigurationEnv) == \"all\",\"All\",tostring(SpecificConfigurationEnv)),',');\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\n// Building Base Request\nlet _targetDate = iff(_configurationDate == \"lastdate\", ago(7d), iif(_configurationDate == \"alllife\",ago(1080d),todatetime(_configurationDate)));\nlet baseRequest = materialize (union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange* \n | where TimeGenerated > _targetDate\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target\n | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \n | where ScopedEnvironment in (_configurationEnv)\n | extend EntryDate = todatetime(EntryDate_s)\n | project-away EntryDate_s);\n// Find Config Id (can be multiple id in all)\nlet findConfigDate = baseRequest\n | extend Env =strcat(Source, \"_\",ESIEnvironment_s)\n | summarize count() by GenerationInstanceID_g,Env,EntryDate\n | extend distance = iff(_configurationDate == \"lastdate\" or _configurationDate == \"alllife\", now() - EntryDate, (EntryDate - todatetime(_configurationDate)))\n | top-nested of Env by Ignore0=max(1), \n top-nested 1 of distance by Ignore1 = min(distance) asc nulls last, \n top-nested of GenerationInstanceID_g by Ignore2=max(2) \n | project GenerationInstanceID_g;\n// Parse Result\nlet ParseExchangeConfig = () { baseRequest \n | join kind=leftsemi (findConfigDate) on $left.GenerationInstanceID_g == $right.GenerationInstanceID_g\n | where isempty(_SpecificSectionList[0]) or Section_s in (_SpecificSectionList)\n | extend TimeGenerated = EntryDate\n | extend Identity = IdentityString_s\n | extend CmdletResultValue = parse_json(rawData_s)\n | project-rename ConfigurationInstanceID = GenerationInstanceID_g, ESIEnvironment = ESIEnvironment_s, Section = Section_s, PSCmdlet = PSCmdL_s, CmdletResultType = ExecutionResult_s, WhenChanged = WhenChanged_t, WhenCreated = WhenCreated_t, Name = Name_s\n | project-away TenantId,SourceSystem,Type,EntryDate\n};\nParseExchangeConfig\n", + "query": "// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SpecificSectionList = '';\n// let SpecificConfigurationDate = 'lastdate';\n// let SpecificConfigurationEnv = 'All';\n// let Target = 'On-Premises';\n//\n// Parameters definition\nlet _SpecificSectionList = split(SpecificSectionList,',');\nlet _configurationDate = iff(isnull(SpecificConfigurationDate) or isempty(SpecificConfigurationDate),\"lastdate\",tostring(SpecificConfigurationDate));\nlet _configurationEnv = split(iff(isnull(SpecificConfigurationEnv) or isempty(SpecificConfigurationEnv) or tolower(SpecificConfigurationEnv) == \"all\",\"All\",tostring(SpecificConfigurationEnv)),',');\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\n// Building Base Request\nlet _targetDate = iff(_configurationDate == \"lastdate\", ago(7d), iif(_configurationDate == \"alllife\",ago(1080d),todatetime(_configurationDate)));\nlet baseRequest = materialize (union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange* \n | where TimeGenerated > _targetDate\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target\n | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \n | where ScopedEnvironment in (_configurationEnv)\n | extend EntryDate = todatetime(EntryDate_s)\n | project-away EntryDate_s);\n// Find Config Id (can be multiple id in all)\nlet findConfigDate = baseRequest\n | extend Env =strcat(Source, \"_\",ESIEnvironment_s)\n | summarize count() by GenerationInstanceID_g,Env,EntryDate\n | extend distance = iff(_configurationDate == \"lastdate\" or _configurationDate == \"alllife\", now() - EntryDate, (EntryDate - todatetime(_configurationDate)))\n | top-nested of Env by Ignore0=max(1), \n top-nested 1 of distance by Ignore1 = min(distance) asc nulls last, \n top-nested of GenerationInstanceID_g by Ignore2=max(2) \n | project GenerationInstanceID_g;\n// Parse Result\nlet ParseExchangeConfig = () { baseRequest \n | join kind=leftsemi (findConfigDate) on $left.GenerationInstanceID_g == $right.GenerationInstanceID_g\n | where isempty(_SpecificSectionList[0]) or Section_s in (_SpecificSectionList)\n | extend TimeGenerated = EntryDate\n | extend Identity = IdentityString_s\n | extend CmdletResultValue = parse_json(rawData_s)\n | project-rename ConfigurationInstanceID = GenerationInstanceID_g, ESIEnvironment = ESIEnvironment_s, Section = Section_s, PSCmdlet = PSCmdL_s, CmdletResultType = ExecutionResult_s, WhenChanged = WhenChanged_t, WhenCreated = WhenCreated_t, Name = Name_s\n | project-away TenantId,SourceSystem,Type,EntryDate\n};\nParseExchangeConfig\n", "functionParameters": "SpecificSectionList:string = \"\", SpecificConfigurationDate:string = \"lastdate\", Target:string = \"On-Premises\", SpecificConfigurationEnv:string = \"All\"", "version": 2, "tags": [ @@ -2257,7 +2257,7 @@ "displayName": "Parser for ExchangeConfiguration", "category": "Microsoft Sentinel Parser", "functionAlias": "ExchangeConfiguration", - "query": "let _SpecificSectionList = split(SpecificSectionList,',');\nlet _configurationDate = iff(isnull(SpecificConfigurationDate) or isempty(SpecificConfigurationDate),\"lastdate\",tostring(SpecificConfigurationDate));\nlet _configurationEnv = split(iff(isnull(SpecificConfigurationEnv) or isempty(SpecificConfigurationEnv) or tolower(SpecificConfigurationEnv) == \"all\",\"All\",tostring(SpecificConfigurationEnv)),',');\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\n// Building Base Request\nlet _targetDate = iff(_configurationDate == \"lastdate\", ago(7d), iif(_configurationDate == \"alllife\",ago(1080d),todatetime(_configurationDate)));\nlet baseRequest = materialize (union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange* \n | where TimeGenerated > _targetDate\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target\n | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \n | where ScopedEnvironment in (_configurationEnv)\n | extend EntryDate = todatetime(EntryDate_s)\n | project-away EntryDate_s);\n// Find Config Id (can be multiple id in all)\nlet findConfigDate = baseRequest\n | extend Env =strcat(Source, \"_\",ESIEnvironment_s)\n | summarize count() by GenerationInstanceID_g,Env,EntryDate\n | extend distance = iff(_configurationDate == \"lastdate\" or _configurationDate == \"alllife\", now() - EntryDate, (EntryDate - todatetime(_configurationDate)))\n | top-nested of Env by Ignore0=max(1), \n top-nested 1 of distance by Ignore1 = min(distance) asc nulls last, \n top-nested of GenerationInstanceID_g by Ignore2=max(2) \n | project GenerationInstanceID_g;\n// Parse Result\nlet ParseExchangeConfig = () { baseRequest \n | join kind=leftsemi (findConfigDate) on $left.GenerationInstanceID_g == $right.GenerationInstanceID_g\n | where isempty(_SpecificSectionList[0]) or Section_s in (_SpecificSectionList)\n | extend TimeGenerated = EntryDate\n | extend Identity = IdentityString_s\n | extend CmdletResultValue = parse_json(rawData_s)\n | project-rename ConfigurationInstanceID = GenerationInstanceID_g, ESIEnvironment = ESIEnvironment_s, Section = Section_s, PSCmdlet = PSCmdL_s, CmdletResultType = ExecutionResult_s, WhenChanged = WhenChanged_t, WhenCreated = WhenCreated_t, Name = Name_s\n | project-away TenantId,SourceSystem,Type,EntryDate\n};\nParseExchangeConfig\n", + "query": "// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SpecificSectionList = '';\n// let SpecificConfigurationDate = 'lastdate';\n// let SpecificConfigurationEnv = 'All';\n// let Target = 'On-Premises';\n//\n// Parameters definition\nlet _SpecificSectionList = split(SpecificSectionList,',');\nlet _configurationDate = iff(isnull(SpecificConfigurationDate) or isempty(SpecificConfigurationDate),\"lastdate\",tostring(SpecificConfigurationDate));\nlet _configurationEnv = split(iff(isnull(SpecificConfigurationEnv) or isempty(SpecificConfigurationEnv) or tolower(SpecificConfigurationEnv) == \"all\",\"All\",tostring(SpecificConfigurationEnv)),',');\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\n// Building Base Request\nlet _targetDate = iff(_configurationDate == \"lastdate\", ago(7d), iif(_configurationDate == \"alllife\",ago(1080d),todatetime(_configurationDate)));\nlet baseRequest = materialize (union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange* \n | where TimeGenerated > _targetDate\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target\n | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \n | where ScopedEnvironment in (_configurationEnv)\n | extend EntryDate = todatetime(EntryDate_s)\n | project-away EntryDate_s);\n// Find Config Id (can be multiple id in all)\nlet findConfigDate = baseRequest\n | extend Env =strcat(Source, \"_\",ESIEnvironment_s)\n | summarize count() by GenerationInstanceID_g,Env,EntryDate\n | extend distance = iff(_configurationDate == \"lastdate\" or _configurationDate == \"alllife\", now() - EntryDate, (EntryDate - todatetime(_configurationDate)))\n | top-nested of Env by Ignore0=max(1), \n top-nested 1 of distance by Ignore1 = min(distance) asc nulls last, \n top-nested of GenerationInstanceID_g by Ignore2=max(2) \n | project GenerationInstanceID_g;\n// Parse Result\nlet ParseExchangeConfig = () { baseRequest \n | join kind=leftsemi (findConfigDate) on $left.GenerationInstanceID_g == $right.GenerationInstanceID_g\n | where isempty(_SpecificSectionList[0]) or Section_s in (_SpecificSectionList)\n | extend TimeGenerated = EntryDate\n | extend Identity = IdentityString_s\n | extend CmdletResultValue = parse_json(rawData_s)\n | project-rename ConfigurationInstanceID = GenerationInstanceID_g, ESIEnvironment = ESIEnvironment_s, Section = Section_s, PSCmdlet = PSCmdL_s, CmdletResultType = ExecutionResult_s, WhenChanged = WhenChanged_t, WhenCreated = WhenCreated_t, Name = Name_s\n | project-away TenantId,SourceSystem,Type,EntryDate\n};\nParseExchangeConfig\n", "functionParameters": "SpecificSectionList:string = \"\", SpecificConfigurationDate:string = \"lastdate\", Target:string = \"On-Premises\", SpecificConfigurationEnv:string = \"All\"", "version": 2, "tags": [ @@ -2306,7 +2306,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeEnvironmentList Data Parser with template version 3.0.0", + "description": "ExchangeEnvironmentList Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion3')]", @@ -2323,7 +2323,7 @@ "displayName": "Parser for ExchangeEnvironmentList", "category": "Microsoft Sentinel Parser", "functionAlias": "ExchangeEnvironmentList", - "query": "let _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\nlet ScalarbaseRequest = union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange*\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target;\n// Base Request\nScalarbaseRequest | summarize by ESIEnvironment_s | project-rename ESIEnvironment = ESIEnvironment_s\n", + "query": "// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let Target = 'On-Premises';\n//\n// Parameters definition\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\nlet ScalarbaseRequest = union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange*\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target;\n// Base Request\nScalarbaseRequest | summarize by ESIEnvironment_s | project-rename ESIEnvironment = ESIEnvironment_s\n", "functionParameters": "Target:string = \"On-Premises\"", "version": 2, "tags": [ @@ -2387,7 +2387,7 @@ "displayName": "Parser for ExchangeEnvironmentList", "category": "Microsoft Sentinel Parser", "functionAlias": "ExchangeEnvironmentList", - "query": "let _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\nlet ScalarbaseRequest = union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange*\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target;\n// Base Request\nScalarbaseRequest | summarize by ESIEnvironment_s | project-rename ESIEnvironment = ESIEnvironment_s\n", + "query": "// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let Target = 'On-Premises';\n//\n// Parameters definition\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\nlet ScalarbaseRequest = union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange*\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target;\n// Base Request\nScalarbaseRequest | summarize by ESIEnvironment_s | project-rename ESIEnvironment = ESIEnvironment_s\n", "functionParameters": "Target:string = \"On-Premises\"", "version": 2, "tags": [ @@ -2436,7 +2436,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Least Privilege with RBAC Workbook with template version 3.0.0", + "description": "Microsoft Exchange Least Privilege with RBAC Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -2450,7 +2450,7 @@ "kind": "shared", "apiVersion": "2021-08-01", "metadata": { - "description": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment." + "description": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Required Data Connector: Exchange Security Insights On-Premises Collector." }, "properties": { "displayName": "[parameters('workbook1-name')]", @@ -2465,7 +2465,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "@{workbookKey=MicrosoftExchangeLeastPrivilegewithRBAC; logoFileName=Azure_Sentinel.svg; description=This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Microsoft Exchange Least Privilege with RBAC; templateRelativePath=Microsoft Exchange Least Privilege with RBAC.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=MicrosoftExchangeLeastPrivilegewithRBAC; logoFileName=Azure_Sentinel.svg; description=This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Required Data Connector: Exchange Security Insights On-Premises Collector.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Exchange Least Privilege with RBAC; templateRelativePath=Microsoft Exchange Least Privilege with RBAC.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId1')]", "contentId": "[variables('_workbookContentId1')]", "kind": "Workbook", @@ -2498,7 +2498,7 @@ { "contentId": "ESI-ExchangeAdminAuditLogEvents", "kind": "DataConnector" - } + } ] } } @@ -2527,7 +2527,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Search Admin AuditLog Workbook with template version 3.0.0", + "description": "Microsoft Exchange Search AdminAuditLog Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -2541,7 +2541,7 @@ "kind": "shared", "apiVersion": "2021-08-01", "metadata": { - "description": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment." + "description": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Exchange Audit Event logs via Legacy Agent." }, "properties": { "displayName": "[parameters('workbook2-name')]", @@ -2556,7 +2556,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", "properties": { - "description": "@{workbookKey=MicrosoftExchangeSearchAdminAuditLog; logoFileName=Azure_Sentinel.svg; description=This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Microsoft Exchange Search AdminAuditLog; templateRelativePath=Microsoft Exchange Search AdminAuditLog.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=MicrosoftExchangeSearchAdminAuditLog; logoFileName=Azure_Sentinel.svg; description=This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Exchange Audit Event logs via Legacy Agent.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Exchange Search AdminAuditLog; templateRelativePath=Microsoft Exchange Search AdminAuditLog.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId2')]", "contentId": "[variables('_workbookContentId2')]", "kind": "Workbook", @@ -2589,7 +2589,7 @@ { "contentId": "ESI-ExchangeAdminAuditLogEvents", "kind": "DataConnector" - } + } ] } } @@ -2618,7 +2618,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Admin Activity Workbook with template version 3.0.0", + "description": "Microsoft Exchange Admin Activity Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion3')]", @@ -2632,7 +2632,7 @@ "kind": "shared", "apiVersion": "2021-08-01", "metadata": { - "description": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers." + "description": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers. Required Data Connector: Exchange Audit Event logs via Legacy Agent." }, "properties": { "displayName": "[parameters('workbook3-name')]", @@ -2647,7 +2647,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId3'),'/'))))]", "properties": { - "description": "@{workbookKey=MicrosoftExchangeSecurityMonitoring; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Microsoft Exchange Admin Activity; templateRelativePath=Microsoft Exchange Admin Activity.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=MicrosoftExchangeSecurityMonitoring; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers. Required Data Connector: Exchange Audit Event logs via Legacy Agent.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Exchange Admin Activity; templateRelativePath=Microsoft Exchange Admin Activity.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId3')]", "contentId": "[variables('_workbookContentId3')]", "kind": "Workbook", @@ -2680,7 +2680,7 @@ { "contentId": "ESI-ExchangeAdminAuditLogEvents", "kind": "DataConnector" - } + } ] } } @@ -2709,7 +2709,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security Review Workbook with template version 3.0.0", + "description": "Microsoft Exchange Security Review Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion4')]", @@ -2723,7 +2723,7 @@ "kind": "shared", "apiVersion": "2021-08-01", "metadata": { - "description": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks." + "description": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector." }, "properties": { "displayName": "[parameters('workbook4-name')]", @@ -2738,7 +2738,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId4'),'/'))))]", "properties": { - "description": "@{workbookKey=MicrosoftExchangeSecurityReview; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Microsoft Exchange Security Review; templateRelativePath=Microsoft Exchange Security Review.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=MicrosoftExchangeSecurityReview; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Exchange Security Review; templateRelativePath=Microsoft Exchange Security Review.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId4')]", "contentId": "[variables('_workbookContentId4')]", "kind": "Workbook", @@ -2771,7 +2771,7 @@ { "contentId": "ESI-ExchangeAdminAuditLogEvents", "kind": "DataConnector" - } + } ] } } @@ -2800,7 +2800,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "CriticalCmdletsUsageDetection_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "CriticalCmdletsUsageDetection_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion1')]", @@ -2814,7 +2814,7 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Alert if an high important Cmdlet is executed on a VIP Mailbox as those Cmdlets can be used for data exfiltration or mailbox access.", + "description": "Alert if a cmdlet that can be translated to data exfiltration or mailbox access is executed on a VIP Mailbox.", "displayName": "VIP Mailbox manipulation", "enabled": false, "query": "ExchangeAdminAuditLogs\n| where ingestion_time() > ago(30m)\n| where IsSensitive == true\n| where UserOriented =~ 'Yes'\n| where IsVIP == true\n", @@ -2848,8 +2848,8 @@ { "fieldMappings": [ { - "columnName": "TargetObject", - "identifier": "MailboxPrimaryAddress" + "identifier": "MailboxPrimaryAddress", + "columnName": "TargetObject" } ], "entityType": "Mailbox" @@ -2857,8 +2857,8 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" } ], "entityType": "Host" @@ -2866,16 +2866,16 @@ { "fieldMappings": [ { - "columnName": "TargetObject", - "identifier": "Sid" + "identifier": "Sid", + "columnName": "TargetObject" }, { - "columnName": "TargetObject", - "identifier": "ObjectGuid" + "identifier": "ObjectGuid", + "columnName": "TargetObject" }, { - "columnName": "TargetObject", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "TargetObject" } ], "entityType": "Account" @@ -2883,8 +2883,8 @@ { "fieldMappings": [ { - "columnName": "Caller", - "identifier": "Name" + "identifier": "Name", + "columnName": "Caller" } ], "entityType": "Account" @@ -2942,7 +2942,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ServerOrientedWithUserOrientedAdministration_AnalyticalRules Analytics Rule with template version 3.0.0", + "description": "ServerOrientedWithUserOrientedAdministration_AnalyticalRules Analytics Rule with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('analyticRuleVersion2')]", @@ -2956,7 +2956,7 @@ "kind": "Scheduled", "location": "[parameters('workspace-location')]", "properties": { - "description": "Detect if a server oriented Cmdlet and a user oriented cmdlet that are monitored are launched by a same user in a same server in a 10 minutes timeframe", + "description": "Detect if a server oriented cmdlet and a user oriented cmdlet that are monitored are launched by the same user in the same server within a 10 minutes timeframe", "displayName": "Server Oriented Cmdlet And User Oriented Cmdlet used", "enabled": false, "query": "let timeframe = 1d;\nlet spanoftime = 10m;\nlet threshold = 0;\nExchangeAdminAuditLogs \n | where TimeGenerated > ago(2 * timeframe)\n | where isempty(UserOriented)\n | project serverExecutedTime = TimeGenerated,\n ServerCmdlet = CmdletName,\n ServerCmdletParams = CmdletParameters,\n Computer,\n Caller,\n ServerCmdletTargetObject = TargetObject\n | join kind= inner (\n ExchangeAdminAuditLogs\n | where TimeGenerated > ago(timeframe)\n | where UserOriented =~ 'Yes'\n | lookup kind=leftouter _GetWatchlist('ExchangeVIP') on $left.TargetObject == $right.canonicalName\n | project userExecutedTime = TimeGenerated,\n UserCmdlet = CmdletName,\n UserCmdletParams = CmdletParameters,\n Computer,\n Caller,\n UserCmdletTargetObject = TargetObject,\n userPrincipalName,\n objectGUID,\n sAMAccountName,\n IsVIP)\n on Computer, Caller\n | where userExecutedTime - serverExecutedTime < spanoftime\n | extend TimeDelta = userExecutedTime - serverExecutedTime\n | extend TimeDeltaInverse = serverExecutedTime - userExecutedTime\n | where tolong(TimeDelta) >= threshold or tolong(TimeDeltaInverse) >= threshold\n", @@ -2990,12 +2990,12 @@ { "fieldMappings": [ { - "columnName": "userPrincipalName", - "identifier": "MailboxPrimaryAddress" + "identifier": "MailboxPrimaryAddress", + "columnName": "userPrincipalName" }, { - "columnName": "userPrincipalName", - "identifier": "Upn" + "identifier": "Upn", + "columnName": "userPrincipalName" } ], "entityType": "Mailbox" @@ -3003,8 +3003,8 @@ { "fieldMappings": [ { - "columnName": "Computer", - "identifier": "FullName" + "identifier": "FullName", + "columnName": "Computer" } ], "entityType": "Host" @@ -3012,8 +3012,8 @@ { "fieldMappings": [ { - "columnName": "ServerCmdletTargetObject", - "identifier": "HostName" + "identifier": "HostName", + "columnName": "ServerCmdletTargetObject" } ], "entityType": "Host" @@ -3021,12 +3021,12 @@ { "fieldMappings": [ { - "columnName": "Caller", - "identifier": "Name" + "identifier": "Name", + "columnName": "Caller" }, { - "columnName": "TargetObject", - "identifier": "ObjectGuid" + "identifier": "ObjectGuid", + "columnName": "TargetObject" } ], "entityType": "Account" @@ -3080,7 +3080,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Exchange Security - Exchange On-Premises", diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/ExchangeConfiguration.yaml b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/ExchangeConfiguration.yaml index 37d0526c648..89f064731c3 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/ExchangeConfiguration.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/ExchangeConfiguration.yaml @@ -1,8 +1,8 @@ id: f2ae482d-999c-452e-b108-31880aa99620 Function: Title: Parser for ExchangeConfiguration - Version: '1.0.0' - LastUpdated: '2023-08-23' + Version: '1.0.1' + LastUpdated: '2023-09-13' Category: Microsoft Sentinel Parser FunctionName: ExchangeConfiguration FunctionAlias: ExchangeConfiguration @@ -24,6 +24,14 @@ FunctionParams: Description: The target environment to query. Valid values are "On-Premises" or "Online". Default is "On-Premises". DefaultValue: 'On-Premises' FunctionQuery: | + // Parameters simulation + // If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values. + // + // let SpecificSectionList = ''; + // let SpecificConfigurationDate = 'lastdate'; + // let SpecificConfigurationEnv = 'All'; + // let Target = 'On-Premises'; + // // Parameters definition let _SpecificSectionList = split(SpecificSectionList,','); let _configurationDate = iff(isnull(SpecificConfigurationDate) or isempty(SpecificConfigurationDate),"lastdate",tostring(SpecificConfigurationDate)); diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/ExchangeEnvironmentList.yaml b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/ExchangeEnvironmentList.yaml index 76bab8257d3..5af32170e7b 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/ExchangeEnvironmentList.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/ExchangeEnvironmentList.yaml @@ -1,8 +1,8 @@ id: fa748dc3-00ee-41cb-b54e-8acd56041b2a Function: Title: Parser for ExchangeEnvironmentList - Version: '1.0.0' - LastUpdated: '2023-08-23' + Version: '1.0.1' + LastUpdated: '2023-09-13' Category: Microsoft Sentinel Parser FunctionName: ExchangeEnvironmentList FunctionAlias: ExchangeEnvironmentList @@ -12,6 +12,11 @@ FunctionParams: Description: The target environment to query. Valid values are "On-Premises" or "Online". Default is "On-Premises". DefaultValue: 'On-Premises' FunctionQuery: | + // Parameters simulation + // If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values. + // + // let Target = 'On-Premises'; + // // Parameters definition let _target = iff(isnull(Target) or isempty(Target),"On-Premises",Target); let ScalarbaseRequest = union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange* diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md new file mode 100644 index 00000000000..2bb91a6bef8 --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/Parsers/README.md @@ -0,0 +1,146 @@ +# Microsoft Exchange Security - Parsers information + +Microsoft Exchange Security solutions use multiple parsers to be able to process correctly the raw data. Those parsers are used to create multiple workbooks, multiple analytic rules but parsers are also here to allow you to format correctly raw data to be used in your own queries. + +Parsers are created [using functions in Azure monitor log queries](https://docs.microsoft.com/azure/azure-monitor/log-query/functions) + +- [Microsoft Exchange Security - Parsers information](#microsoft-exchange-security---parsers-information) + - [ExchangeConfiguration Parser](#exchangeconfiguration-parser) + - [Parser Definition](#parser-definition) + - [Parser Description](#parser-description) + - [Parser Setup](#parser-setup) + - [Linked tables](#linked-tables) + - [Parameters simulation](#parameters-simulation) + - [Exchange Configuration Environment List Parser](#exchange-configuration-environment-list-parser) + - [Parser Definition](#parser-definition-1) + - [Parser Description](#parser-description-1) + - [Parser Setup](#parser-setup-1) + - [Linked tables](#linked-tables-1) + - [Parameters simulation](#parameters-simulation-1) + - [Exchange Admin Audit Logs Parser](#exchange-admin-audit-logs-parser) + - [Parser Definition](#parser-definition-2) + - [Parser Description](#parser-description-2) + - [Parser dependency](#parser-dependency) + - [Parser Setup](#parser-setup-2) + - [Linked tables](#linked-tables-2) + +## ExchangeConfiguration Parser + +### Parser Definition + +- Title: ESI - Exchange Configuration Parser +- Version: 1.6 +- Last Updated: 13/10/2022 + +|**Version** |**Details** | +|---------|-----------------------------------------------------------------------------------------------------------------------| +|v1.6 | | +|v1.5 | | +|v1.4 | | +|v1.3 | | + +### Parser Description + +This parser takes raw ESI Exchange Configuration Collector to pivot raw information and retrieve a specific date configuration. This is the same parser for Exchange On-Premises version and Exchange online version of the solution. + +### Parser Setup + + 1. Open Log Analytics/Microsoft Sentinel Logs blade. Copy the query below and paste into the Logs query window. + 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter the Function Name "ExchangeConfiguration". + +>#### **Parameters:** +> +>4 parameters to add during creation. +> +> 1. SpecificSectionList, type string, default value "" +> 2. SpecificConfigurationDate, type string, default value "lastdate" +> 3. Target, type string, default value "On-Premises" +> 4. SpecificConfigurationEnv, type string, default value "All" + + 3. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries + +### Linked tables + +This parser assumes the raw log from the ESI Exchange Collector are on the ESIExchangeConfig_CL and/or ESIExchangeOnlineConfig_CL tables and are uploaded using the builtin REST API uploader of the Collector. + +### Parameters simulation + +If you need to test the parser execution without saving it as a function, add the bellow variable to simulate parameters values at the beginning. + + +``` +let SpecificSectionList = ''; +let SpecificConfigurationDate = 'lastdate'; +let SpecificConfigurationEnv = 'All'; +let Target = 'On-Premises';` +``` + +## Exchange Configuration Environment List Parser + +### Parser Definition + +- Title: Exchange Configuration Environment List Generator +- Version: 1.2 +- Last Updated: 19/09/2022 + +|**Version** |**Details** | +|---------|-----------------------------------------------------------------------------------------------------------------------| +|v1.2 | | + +### Parser Description + +This parser takes raw ESI Exchange Configuration Collector to list Exchange Environments that are loaded in the tables. This is the same parser for Exchange On-Premises version and Exchange online version of the solution. + +### Parser Setup + + 1. Open Log Analytics/Microsoft Sentinel Logs blade. Copy the query below and paste into the Logs query window. + 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter the Function Name "ExchangeEnvironmentList". + +>#### **Parameters:** +> +>1 parameter to add during creation : Target, type string, default value "On-Premises" + + 3. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries + +### Linked tables + +This parser assumes the raw log from the ESI Exchange Collector are on the ESIExchangeConfig_CL and/or ESIExchangeOnlineConfig_CL tables and are uploaded using the builtin REST API uploader of the Collector. + +### Parameters simulation + +If you need to test the parser execution without saving it as a function, add the bellow variable to simulate parameters values at the beginning. + + +``` +let Target = 'On-Premises'; +``` + +## Exchange Admin Audit Logs Parser + +### Parser Definition + +- Title: Exchange Admin Audit Logs Parser +- Version: 1.0 +- Last Updated: 15/11/2022 + +|**Version** |**Details** | +|---------|-----------------------------------------------------------------------------------------------------------------------| +|v1.0 | | + +### Parser Description + +This parser takes raw Exchange Admin Audit Logs and add elements like ESI Environment, VIP information, sensitive information, etc... + +### Parser dependency + +This parser is linked to "ExchangeVIP" whatchlist + +### Parser Setup + + 1. Open Log Analytics/Microsoft Sentinel Logs blade. Copy the query below and paste into the Logs query window. + 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter the Function Name "ExchangeAdminAuditLogs". + 3. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries + +### Linked tables + +This parser assumes that MS Exchange Management Logs from Exchange Servers Event Logs are collected in Log Analytics. diff --git a/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md b/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md index 2c5f059d277..cf332558160 100644 --- a/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md +++ b/Solutions/Microsoft Exchange Security - Exchange On-Premises/ReleaseNotes.md @@ -1,4 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| -| 3.0.0 | 08-23-2023 | **ExchangeEnvironmentList** parser name | -| | | corrected in Workbooks. | +| 3.0.1 | 09-13-2023 | readme file for parsers and typo correction | +| 3.0.0 | 08-23-2023 | **ExchangeEnvironmentList** parser name corrected in Workbooks. | diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json b/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json index a7a78abf932..591ea4db401 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Data/Solution_MicrosoftExchangeSecurityExchangeOnline.json @@ -16,7 +16,7 @@ ], "Analytic Rules": [], "BasePath": "C:\\Git Repositories\\Azure-Sentinel\\Solutions\\Microsoft Exchange Security - Exchange Online", - "Version": "3.0.0", + "Version": "3.0.1", "Metadata": "SolutionMetadata.json", "TemplateSpec": true, "Is1Pconnector": false diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.0.1.zip b/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.0.1.zip new file mode 100644 index 00000000000..46b124cbdb4 Binary files /dev/null and b/Solutions/Microsoft Exchange Security - Exchange Online/Package/3.0.1.zip differ diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json index 0cbf0f7948e..7af85208a8b 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/createUiDefinition.json @@ -55,8 +55,8 @@ "name": "dataconnectors", "label": "Data Connectors", "bladeTitle": "Data Connectors", -"elements": [ - { + "elements": [ +{ "name": "dataconnectors1", "type": "Microsoft.Common.Section", "label": "Data Connectors", @@ -65,13 +65,13 @@ "name": "dataconnectors1-text", "type": "Microsoft.Common.TextBlock", "options": { - "text": "This solution installs the data connector for collecting exchange online custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." + "text": "This Solution installs the data connector for Microsoft Exchange Security - Exchange Online. You can get Microsoft Exchange Security - Exchange Online custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view." } } ] }, -{ - "name": "dataconnectors-parser", + { +"name": "dataconnectors-parser", "type": "Microsoft.Common.Section", "label": "Parsers", "elements": [ diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json index 9865240561e..19f2967fe88 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Package/mainTemplate.json @@ -49,7 +49,7 @@ "email": "support@microsoft.com", "_email": "[variables('email')]", "_solutionName": "Microsoft Exchange Security - Exchange Online", - "_solutionVersion": "3.0.0", + "_solutionVersion": "3.0.1", "solutionId": "microsoftsentinelcommunity.azure-sentinel-solution-esionline", "_solutionId": "[variables('solutionId')]", "uiConfigId1": "ESI-ExchangeOnlineCollector", @@ -66,7 +66,7 @@ "parserId1": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName1'))]", "_parserId1": "[variables('parserId1')]", "parserTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId1'))))]", - "parserVersion1": "1.0.0", + "parserVersion1": "1.0.1", "parserContentId1": "ExchangeConfiguration-Parser", "_parserContentId1": "[variables('parserContentId1')]", "_parsercontentProductId1": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId1'),'-', variables('parserVersion1'))))]", @@ -75,18 +75,18 @@ "parserId2": "[resourceId('Microsoft.OperationalInsights/workspaces/savedSearches', parameters('workspace'), variables('parserName2'))]", "_parserId2": "[variables('parserId2')]", "parserTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-pr-',uniquestring(variables('_parserContentId2'))))]", - "parserVersion2": "1.0.0", + "parserVersion2": "1.0.1", "parserContentId2": "ExchangeEnvironmentList-Parser", "_parserContentId2": "[variables('parserContentId2')]", "_parsercontentProductId2": "[concat(take(variables('_solutionId'),50),'-','pr','-', uniqueString(concat(variables('_solutionId'),'-','Parser','-',variables('_parserContentId2'),'-', variables('parserVersion2'))))]", - "workbookVersion1": "1.0.0", + "workbookVersion1": "1.0.1", "workbookContentId1": "MicrosoftExchangeLeastPrivilegewithRBAC-Online", "workbookId1": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId1'))]", "workbookTemplateSpecName1": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId1'))))]", "_workbookContentId1": "[variables('workbookContentId1')]", "workspaceResourceId": "[resourceId('microsoft.OperationalInsights/Workspaces', parameters('workspace'))]", "_workbookcontentProductId1": "[concat(take(variables('_solutionId'),50),'-','wb','-', uniqueString(concat(variables('_solutionId'),'-','Workbook','-',variables('_workbookContentId1'),'-', variables('workbookVersion1'))))]", - "workbookVersion2": "1.0.0", + "workbookVersion2": "1.0.1", "workbookContentId2": "MicrosoftExchangeSecurityReview-Online", "workbookId2": "[resourceId('Microsoft.Insights/workbooks', variables('workbookContentId2'))]", "workbookTemplateSpecName2": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat(parameters('workspace'),'-wb-',uniquestring(variables('_workbookContentId2'))))]", @@ -104,7 +104,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security - Exchange Online data connector with template version 3.0.0", + "description": "Microsoft Exchange Security - Exchange Online data connector with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('dataConnectorVersion1')]", @@ -632,7 +632,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeConfiguration Data Parser with template version 3.0.0", + "description": "ExchangeConfiguration Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion1')]", @@ -649,7 +649,7 @@ "displayName": "Parser for ExchangeConfiguration", "category": "Microsoft Sentinel Parser", "functionAlias": "ExchangeConfiguration", - "query": "let _SpecificSectionList = split(SpecificSectionList,',');\nlet _configurationDate = iff(isnull(SpecificConfigurationDate) or isempty(SpecificConfigurationDate),\"lastdate\",tostring(SpecificConfigurationDate));\nlet _configurationEnv = split(iff(isnull(SpecificConfigurationEnv) or isempty(SpecificConfigurationEnv) or tolower(SpecificConfigurationEnv) == \"all\",\"All\",tostring(SpecificConfigurationEnv)),',');\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\n// Building Base Request\nlet _targetDate = iff(_configurationDate == \"lastdate\", ago(7d), iif(_configurationDate == \"alllife\",ago(1080d),todatetime(_configurationDate)));\nlet baseRequest = materialize (union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange* \n | where TimeGenerated > _targetDate\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target\n | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \n | where ScopedEnvironment in (_configurationEnv)\n | extend EntryDate = todatetime(EntryDate_s)\n | project-away EntryDate_s);\n// Find Config Id (can be multiple id in all)\nlet findConfigDate = baseRequest\n | extend Env =strcat(Source, \"_\",ESIEnvironment_s)\n | summarize count() by GenerationInstanceID_g,Env,EntryDate\n | extend distance = iff(_configurationDate == \"lastdate\" or _configurationDate == \"alllife\", now() - EntryDate, (EntryDate - todatetime(_configurationDate)))\n | top-nested of Env by Ignore0=max(1), \n top-nested 1 of distance by Ignore1 = min(distance) asc nulls last, \n top-nested of GenerationInstanceID_g by Ignore2=max(2) \n | project GenerationInstanceID_g;\n// Parse Result\nlet ParseExchangeConfig = () { baseRequest \n | join kind=leftsemi (findConfigDate) on $left.GenerationInstanceID_g == $right.GenerationInstanceID_g\n | where isempty(_SpecificSectionList[0]) or Section_s in (_SpecificSectionList)\n | extend TimeGenerated = EntryDate\n | extend Identity = IdentityString_s\n | extend CmdletResultValue = parse_json(rawData_s)\n | project-rename ConfigurationInstanceID = GenerationInstanceID_g, ESIEnvironment = ESIEnvironment_s, Section = Section_s, PSCmdlet = PSCmdL_s, CmdletResultType = ExecutionResult_s, WhenChanged = WhenChanged_t, WhenCreated = WhenCreated_t, Name = Name_s\n | project-away TenantId,SourceSystem,Type,EntryDate\n};\nParseExchangeConfig\n", + "query": "// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SpecificSectionList = '';\n// let SpecificConfigurationDate = 'lastdate';\n// let SpecificConfigurationEnv = 'All';\n// let Target = 'On-Premises';\n//\n// Parameters definition\nlet _SpecificSectionList = split(SpecificSectionList,',');\nlet _configurationDate = iff(isnull(SpecificConfigurationDate) or isempty(SpecificConfigurationDate),\"lastdate\",tostring(SpecificConfigurationDate));\nlet _configurationEnv = split(iff(isnull(SpecificConfigurationEnv) or isempty(SpecificConfigurationEnv) or tolower(SpecificConfigurationEnv) == \"all\",\"All\",tostring(SpecificConfigurationEnv)),',');\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\n// Building Base Request\nlet _targetDate = iff(_configurationDate == \"lastdate\", ago(7d), iif(_configurationDate == \"alllife\",ago(1080d),todatetime(_configurationDate)));\nlet baseRequest = materialize (union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange* \n | where TimeGenerated > _targetDate\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target\n | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \n | where ScopedEnvironment in (_configurationEnv)\n | extend EntryDate = todatetime(EntryDate_s)\n | project-away EntryDate_s);\n// Find Config Id (can be multiple id in all)\nlet findConfigDate = baseRequest\n | extend Env =strcat(Source, \"_\",ESIEnvironment_s)\n | summarize count() by GenerationInstanceID_g,Env,EntryDate\n | extend distance = iff(_configurationDate == \"lastdate\" or _configurationDate == \"alllife\", now() - EntryDate, (EntryDate - todatetime(_configurationDate)))\n | top-nested of Env by Ignore0=max(1), \n top-nested 1 of distance by Ignore1 = min(distance) asc nulls last, \n top-nested of GenerationInstanceID_g by Ignore2=max(2) \n | project GenerationInstanceID_g;\n// Parse Result\nlet ParseExchangeConfig = () { baseRequest \n | join kind=leftsemi (findConfigDate) on $left.GenerationInstanceID_g == $right.GenerationInstanceID_g\n | where isempty(_SpecificSectionList[0]) or Section_s in (_SpecificSectionList)\n | extend TimeGenerated = EntryDate\n | extend Identity = IdentityString_s\n | extend CmdletResultValue = parse_json(rawData_s)\n | project-rename ConfigurationInstanceID = GenerationInstanceID_g, ESIEnvironment = ESIEnvironment_s, Section = Section_s, PSCmdlet = PSCmdL_s, CmdletResultType = ExecutionResult_s, WhenChanged = WhenChanged_t, WhenCreated = WhenCreated_t, Name = Name_s\n | project-away TenantId,SourceSystem,Type,EntryDate\n};\nParseExchangeConfig\n", "functionParameters": "SpecificSectionList:string = \"\", SpecificConfigurationDate:string = \"lastdate\", Target:string = \"On-Premises\", SpecificConfigurationEnv:string = \"All\"", "version": 2, "tags": [ @@ -713,8 +713,8 @@ "displayName": "Parser for ExchangeConfiguration", "category": "Microsoft Sentinel Parser", "functionAlias": "ExchangeConfiguration", - "query": "let _SpecificSectionList = split(SpecificSectionList,',');\nlet _configurationDate = iff(isnull(SpecificConfigurationDate) or isempty(SpecificConfigurationDate),\"lastdate\",tostring(SpecificConfigurationDate));\nlet _configurationEnv = split(iff(isnull(SpecificConfigurationEnv) or isempty(SpecificConfigurationEnv) or tolower(SpecificConfigurationEnv) == \"all\",\"All\",tostring(SpecificConfigurationEnv)),',');\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\n// Building Base Request\nlet _targetDate = iff(_configurationDate == \"lastdate\", ago(7d), iif(_configurationDate == \"alllife\",ago(1080d),todatetime(_configurationDate)));\nlet baseRequest = materialize (union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange* \n | where TimeGenerated > _targetDate\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target\n | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \n | where ScopedEnvironment in (_configurationEnv)\n | extend EntryDate = todatetime(EntryDate_s)\n | project-away EntryDate_s);\n// Find Config Id (can be multiple id in all)\nlet findConfigDate = baseRequest\n | extend Env =strcat(Source, \"_\",ESIEnvironment_s)\n | summarize count() by GenerationInstanceID_g,Env,EntryDate\n | extend distance = iff(_configurationDate == \"lastdate\" or _configurationDate == \"alllife\", now() - EntryDate, (EntryDate - todatetime(_configurationDate)))\n | top-nested of Env by Ignore0=max(1), \n top-nested 1 of distance by Ignore1 = min(distance) asc nulls last, \n top-nested of GenerationInstanceID_g by Ignore2=max(2) \n | project GenerationInstanceID_g;\n// Parse Result\nlet ParseExchangeConfig = () { baseRequest \n | join kind=leftsemi (findConfigDate) on $left.GenerationInstanceID_g == $right.GenerationInstanceID_g\n | where isempty(_SpecificSectionList[0]) or Section_s in (_SpecificSectionList)\n | extend TimeGenerated = EntryDate\n | extend Identity = IdentityString_s\n | extend CmdletResultValue = parse_json(rawData_s)\n | project-rename ConfigurationInstanceID = GenerationInstanceID_g, ESIEnvironment = ESIEnvironment_s, Section = Section_s, PSCmdlet = PSCmdL_s, CmdletResultType = ExecutionResult_s, WhenChanged = WhenChanged_t, WhenCreated = WhenCreated_t, Name = Name_s\n | project-away TenantId,SourceSystem,Type,EntryDate\n};\nParseExchangeConfig\n", - "functionParameters": "SpecificSectionList:string = \"\", SpecificConfigurationDate:string = \"lastdate\", Target:string = \"On-Premises\", SpecificConfigurationEnv:string = \"All\"", + "query": "// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let SpecificSectionList = '';\n// let SpecificConfigurationDate = 'lastdate';\n// let SpecificConfigurationEnv = 'All';\n// let Target = 'On-Premises';\n//\n// Parameters definition\nlet _SpecificSectionList = split(SpecificSectionList,',');\nlet _configurationDate = iff(isnull(SpecificConfigurationDate) or isempty(SpecificConfigurationDate),\"lastdate\",tostring(SpecificConfigurationDate));\nlet _configurationEnv = split(iff(isnull(SpecificConfigurationEnv) or isempty(SpecificConfigurationEnv) or tolower(SpecificConfigurationEnv) == \"all\",\"All\",tostring(SpecificConfigurationEnv)),',');\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\n// Building Base Request\nlet _targetDate = iff(_configurationDate == \"lastdate\", ago(7d), iif(_configurationDate == \"alllife\",ago(1080d),todatetime(_configurationDate)));\nlet baseRequest = materialize (union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange* \n | where TimeGenerated > _targetDate\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target\n | extend ScopedEnvironment = iff(_configurationEnv contains \"All\", \"All\",ESIEnvironment_s) \n | where ScopedEnvironment in (_configurationEnv)\n | extend EntryDate = todatetime(EntryDate_s)\n | project-away EntryDate_s);\n// Find Config Id (can be multiple id in all)\nlet findConfigDate = baseRequest\n | extend Env =strcat(Source, \"_\",ESIEnvironment_s)\n | summarize count() by GenerationInstanceID_g,Env,EntryDate\n | extend distance = iff(_configurationDate == \"lastdate\" or _configurationDate == \"alllife\", now() - EntryDate, (EntryDate - todatetime(_configurationDate)))\n | top-nested of Env by Ignore0=max(1), \n top-nested 1 of distance by Ignore1 = min(distance) asc nulls last, \n top-nested of GenerationInstanceID_g by Ignore2=max(2) \n | project GenerationInstanceID_g;\n// Parse Result\nlet ParseExchangeConfig = () { baseRequest \n | join kind=leftsemi (findConfigDate) on $left.GenerationInstanceID_g == $right.GenerationInstanceID_g\n | where isempty(_SpecificSectionList[0]) or Section_s in (_SpecificSectionList)\n | extend TimeGenerated = EntryDate\n | extend Identity = IdentityString_s\n | extend CmdletResultValue = parse_json(rawData_s)\n | project-rename ConfigurationInstanceID = GenerationInstanceID_g, ESIEnvironment = ESIEnvironment_s, Section = Section_s, PSCmdlet = PSCmdL_s, CmdletResultType = ExecutionResult_s, WhenChanged = WhenChanged_t, WhenCreated = WhenCreated_t, Name = Name_s\n | project-away TenantId,SourceSystem,Type,EntryDate\n};\nParseExchangeConfig\n", + "functionParameters": "SpecificSectionList:string,SpecificConfigurationDate:string,SpecificConfigurationEnv:string,Target:string", "version": 2, "tags": [ { @@ -762,7 +762,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "ExchangeEnvironmentList Data Parser with template version 3.0.0", + "description": "ExchangeEnvironmentList Data Parser with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('parserVersion2')]", @@ -779,7 +779,7 @@ "displayName": "Parser for ExchangeEnvironmentList", "category": "Microsoft Sentinel Parser", "functionAlias": "ExchangeEnvironmentList", - "query": "let _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\nlet ScalarbaseRequest = union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange*\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target;\n// Base Request\nScalarbaseRequest | summarize by ESIEnvironment_s | project-rename ESIEnvironment = ESIEnvironment_s\n", + "query": "// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let Target = 'On-Premises';\n//\n// Parameters definition\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\nlet ScalarbaseRequest = union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange*\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target;\n// Base Request\nScalarbaseRequest | summarize by ESIEnvironment_s | project-rename ESIEnvironment = ESIEnvironment_s\n", "functionParameters": "Target:string = \"On-Premises\"", "version": 2, "tags": [ @@ -843,8 +843,8 @@ "displayName": "Parser for ExchangeEnvironmentList", "category": "Microsoft Sentinel Parser", "functionAlias": "ExchangeEnvironmentList", - "query": "let _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\nlet ScalarbaseRequest = union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange*\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target;\n// Base Request\nScalarbaseRequest | summarize by ESIEnvironment_s | project-rename ESIEnvironment = ESIEnvironment_s\n", - "functionParameters": "Target:string = \"On-Premises\"", + "query": "// Parameters simulation\n// If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values.\n//\n// let Target = 'On-Premises';\n//\n// Parameters definition\nlet _target = iff(isnull(Target) or isempty(Target),\"On-Premises\",Target);\nlet ScalarbaseRequest = union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange*\n | extend Source = iff (TableName contains \"Online\", \"Online\", \"On-Premises\")\n | where _target == 'All' or Source == _target;\n// Base Request\nScalarbaseRequest | summarize by ESIEnvironment_s | project-rename ESIEnvironment = ESIEnvironment_s\n", + "functionParameters": "Target:string", "version": 2, "tags": [ { @@ -892,7 +892,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Least Privilege with RBAC - Online Workbook with template version 3.0.0", + "description": "Microsoft Exchange Least Privilege with RBAC - Online Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion1')]", @@ -921,7 +921,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId1'),'/'))))]", "properties": { - "description": "@{workbookKey=MicrosoftExchangeLeastPrivilegewithRBAC-Online; logoFileName=Azure_Sentinel.svg; description=This Workbook, dedicated to Exchange Online environments is built to have a simple view of non-standard RBAC delegations on an Exchange Online tenant. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Microsoft Exchange Least Privilege with RBAC - Online; templateRelativePath=Microsoft Exchange Least Privilege with RBAC - Online.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=MicrosoftExchangeLeastPrivilegewithRBAC-Online; logoFileName=Azure_Sentinel.svg; description=This Workbook, dedicated to Exchange Online environments is built to have a simple view of non-standard RBAC delegations on an Exchange Online tenant. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Exchange Least Privilege with RBAC - Online; templateRelativePath=Microsoft Exchange Least Privilege with RBAC - Online.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId1')]", "contentId": "[variables('_workbookContentId1')]", "kind": "Workbook", @@ -947,14 +947,6 @@ "contentId": "ESIExchangeOnlineConfig_CL", "kind": "DataType" }, - { - "contentId": "ESI-ExchangeOnPremisesCollector", - "kind": "DataConnector" - }, - { - "contentId": "ESI-ExchangeAdminAuditLogEvents", - "kind": "DataConnector" - }, { "contentId": "ESI-ExchangeOnlineCollector", "kind": "DataConnector" @@ -987,7 +979,7 @@ "[extensionResourceId(resourceId('Microsoft.OperationalInsights/workspaces', parameters('workspace')), 'Microsoft.SecurityInsights/contentPackages', variables('_solutionId'))]" ], "properties": { - "description": "Microsoft Exchange Security Review - Online Workbook with template version 3.0.0", + "description": "Microsoft Exchange Security Review - Online Workbook with template version 3.0.1", "mainTemplate": { "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#", "contentVersion": "[variables('workbookVersion2')]", @@ -1016,7 +1008,7 @@ "apiVersion": "2022-01-01-preview", "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/',concat('Workbook-', last(split(variables('workbookId2'),'/'))))]", "properties": { - "description": "@{workbookKey=MicrosoftExchangeSecurityReview-Online; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to Exchange Online tenants. It displays and highlights current Security configuration on various Exchange components specific to Online including delegations, the transport configuration and the linked security risks, and risky protocols.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.0; title=Microsoft Exchange Security Review - Online; templateRelativePath=Microsoft Exchange Security Review - Online.json; subtitle=; provider=Microsoft}.description", + "description": "@{workbookKey=MicrosoftExchangeSecurityReview-Online; logoFileName=Azure_Sentinel.svg; description=This Workbook is dedicated to Exchange Online tenants. It displays and highlights current Security configuration on various Exchange components specific to Online including delegations, the transport configuration and the linked security risks, and risky protocols.; dataTypesDependencies=System.Object[]; dataConnectorsDependencies=System.Object[]; previewImagesFileNames=System.Object[]; version=1.0.1; title=Microsoft Exchange Security Review - Online; templateRelativePath=Microsoft Exchange Security Review - Online.json; subtitle=; provider=Microsoft}.description", "parentId": "[variables('workbookId2')]", "contentId": "[variables('_workbookContentId2')]", "kind": "Workbook", @@ -1042,14 +1034,6 @@ "contentId": "ESIExchangeOnlineConfig_CL", "kind": "DataType" }, - { - "contentId": "ESI-ExchangeOnPremisesCollector", - "kind": "DataConnector" - }, - { - "contentId": "ESI-ExchangeAdminAuditLogEvents", - "kind": "DataConnector" - }, { "contentId": "ESI-ExchangeOnlineCollector", "kind": "DataConnector" @@ -1078,7 +1062,7 @@ "apiVersion": "2023-04-01-preview", "location": "[parameters('workspace-location')]", "properties": { - "version": "3.0.0", + "version": "3.0.1", "kind": "Solution", "contentSchemaVersion": "3.0.0", "displayName": "Microsoft Exchange Security - Exchange Online", diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeConfiguration.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeConfiguration.yaml index 37d0526c648..89f064731c3 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeConfiguration.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeConfiguration.yaml @@ -1,8 +1,8 @@ id: f2ae482d-999c-452e-b108-31880aa99620 Function: Title: Parser for ExchangeConfiguration - Version: '1.0.0' - LastUpdated: '2023-08-23' + Version: '1.0.1' + LastUpdated: '2023-09-13' Category: Microsoft Sentinel Parser FunctionName: ExchangeConfiguration FunctionAlias: ExchangeConfiguration @@ -24,6 +24,14 @@ FunctionParams: Description: The target environment to query. Valid values are "On-Premises" or "Online". Default is "On-Premises". DefaultValue: 'On-Premises' FunctionQuery: | + // Parameters simulation + // If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values. + // + // let SpecificSectionList = ''; + // let SpecificConfigurationDate = 'lastdate'; + // let SpecificConfigurationEnv = 'All'; + // let Target = 'On-Premises'; + // // Parameters definition let _SpecificSectionList = split(SpecificSectionList,','); let _configurationDate = iff(isnull(SpecificConfigurationDate) or isempty(SpecificConfigurationDate),"lastdate",tostring(SpecificConfigurationDate)); diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeEnvironmentList.yaml b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeEnvironmentList.yaml index 76bab8257d3..5af32170e7b 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeEnvironmentList.yaml +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/ExchangeEnvironmentList.yaml @@ -1,8 +1,8 @@ id: fa748dc3-00ee-41cb-b54e-8acd56041b2a Function: Title: Parser for ExchangeEnvironmentList - Version: '1.0.0' - LastUpdated: '2023-08-23' + Version: '1.0.1' + LastUpdated: '2023-09-13' Category: Microsoft Sentinel Parser FunctionName: ExchangeEnvironmentList FunctionAlias: ExchangeEnvironmentList @@ -12,6 +12,11 @@ FunctionParams: Description: The target environment to query. Valid values are "On-Premises" or "Online". Default is "On-Premises". DefaultValue: 'On-Premises' FunctionQuery: | + // Parameters simulation + // If you need to test the parser execution without saving it as a function, uncomment the bellow variable to simulate parameters values. + // + // let Target = 'On-Premises'; + // // Parameters definition let _target = iff(isnull(Target) or isempty(Target),"On-Premises",Target); let ScalarbaseRequest = union isfuzzy=true withsource=TableName ESIAPIExchange*,ESIExchange* diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md new file mode 100644 index 00000000000..2bb91a6bef8 --- /dev/null +++ b/Solutions/Microsoft Exchange Security - Exchange Online/Parsers/README.md @@ -0,0 +1,146 @@ +# Microsoft Exchange Security - Parsers information + +Microsoft Exchange Security solutions use multiple parsers to be able to process correctly the raw data. Those parsers are used to create multiple workbooks, multiple analytic rules but parsers are also here to allow you to format correctly raw data to be used in your own queries. + +Parsers are created [using functions in Azure monitor log queries](https://docs.microsoft.com/azure/azure-monitor/log-query/functions) + +- [Microsoft Exchange Security - Parsers information](#microsoft-exchange-security---parsers-information) + - [ExchangeConfiguration Parser](#exchangeconfiguration-parser) + - [Parser Definition](#parser-definition) + - [Parser Description](#parser-description) + - [Parser Setup](#parser-setup) + - [Linked tables](#linked-tables) + - [Parameters simulation](#parameters-simulation) + - [Exchange Configuration Environment List Parser](#exchange-configuration-environment-list-parser) + - [Parser Definition](#parser-definition-1) + - [Parser Description](#parser-description-1) + - [Parser Setup](#parser-setup-1) + - [Linked tables](#linked-tables-1) + - [Parameters simulation](#parameters-simulation-1) + - [Exchange Admin Audit Logs Parser](#exchange-admin-audit-logs-parser) + - [Parser Definition](#parser-definition-2) + - [Parser Description](#parser-description-2) + - [Parser dependency](#parser-dependency) + - [Parser Setup](#parser-setup-2) + - [Linked tables](#linked-tables-2) + +## ExchangeConfiguration Parser + +### Parser Definition + +- Title: ESI - Exchange Configuration Parser +- Version: 1.6 +- Last Updated: 13/10/2022 + +|**Version** |**Details** | +|---------|-----------------------------------------------------------------------------------------------------------------------| +|v1.6 | | +|v1.5 | | +|v1.4 | | +|v1.3 | | + +### Parser Description + +This parser takes raw ESI Exchange Configuration Collector to pivot raw information and retrieve a specific date configuration. This is the same parser for Exchange On-Premises version and Exchange online version of the solution. + +### Parser Setup + + 1. Open Log Analytics/Microsoft Sentinel Logs blade. Copy the query below and paste into the Logs query window. + 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter the Function Name "ExchangeConfiguration". + +>#### **Parameters:** +> +>4 parameters to add during creation. +> +> 1. SpecificSectionList, type string, default value "" +> 2. SpecificConfigurationDate, type string, default value "lastdate" +> 3. Target, type string, default value "On-Premises" +> 4. SpecificConfigurationEnv, type string, default value "All" + + 3. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries + +### Linked tables + +This parser assumes the raw log from the ESI Exchange Collector are on the ESIExchangeConfig_CL and/or ESIExchangeOnlineConfig_CL tables and are uploaded using the builtin REST API uploader of the Collector. + +### Parameters simulation + +If you need to test the parser execution without saving it as a function, add the bellow variable to simulate parameters values at the beginning. + + +``` +let SpecificSectionList = ''; +let SpecificConfigurationDate = 'lastdate'; +let SpecificConfigurationEnv = 'All'; +let Target = 'On-Premises';` +``` + +## Exchange Configuration Environment List Parser + +### Parser Definition + +- Title: Exchange Configuration Environment List Generator +- Version: 1.2 +- Last Updated: 19/09/2022 + +|**Version** |**Details** | +|---------|-----------------------------------------------------------------------------------------------------------------------| +|v1.2 | | + +### Parser Description + +This parser takes raw ESI Exchange Configuration Collector to list Exchange Environments that are loaded in the tables. This is the same parser for Exchange On-Premises version and Exchange online version of the solution. + +### Parser Setup + + 1. Open Log Analytics/Microsoft Sentinel Logs blade. Copy the query below and paste into the Logs query window. + 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter the Function Name "ExchangeEnvironmentList". + +>#### **Parameters:** +> +>1 parameter to add during creation : Target, type string, default value "On-Premises" + + 3. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries + +### Linked tables + +This parser assumes the raw log from the ESI Exchange Collector are on the ESIExchangeConfig_CL and/or ESIExchangeOnlineConfig_CL tables and are uploaded using the builtin REST API uploader of the Collector. + +### Parameters simulation + +If you need to test the parser execution without saving it as a function, add the bellow variable to simulate parameters values at the beginning. + + +``` +let Target = 'On-Premises'; +``` + +## Exchange Admin Audit Logs Parser + +### Parser Definition + +- Title: Exchange Admin Audit Logs Parser +- Version: 1.0 +- Last Updated: 15/11/2022 + +|**Version** |**Details** | +|---------|-----------------------------------------------------------------------------------------------------------------------| +|v1.0 | | + +### Parser Description + +This parser takes raw Exchange Admin Audit Logs and add elements like ESI Environment, VIP information, sensitive information, etc... + +### Parser dependency + +This parser is linked to "ExchangeVIP" whatchlist + +### Parser Setup + + 1. Open Log Analytics/Microsoft Sentinel Logs blade. Copy the query below and paste into the Logs query window. + 2. Click the Save button above the query. A pane will appear on the right, select "as Function" from the drop down. Enter the Function Name "ExchangeAdminAuditLogs". + 3. Function App usually take 10-15 minutes to activate. You can then use Function Alias for other queries + +### Linked tables + +This parser assumes that MS Exchange Management Logs from Exchange Servers Event Logs are collected in Log Analytics. diff --git a/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md b/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md index b4b0e1d9655..eb1bad6a518 100644 --- a/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md +++ b/Solutions/Microsoft Exchange Security - Exchange Online/ReleaseNotes.md @@ -1,4 +1,4 @@ | **Version** | **Date Modified (DD-MM-YYYY)** | **Change History** | |-------------|--------------------------------|---------------------------------------------| -| 3.0.0 | 08-23-2023 |**ExchangeEnvironmentList** parser name | -| | | corrected in Workbooks. | +| 3.0.1 | 09-13-2023 | readme file for parsers and typo correction | +| 3.0.0 | 08-23-2023 |**ExchangeEnvironmentList** parser name corrected in Workbooks. | diff --git a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json index fe502b9d829..596b8904c95 100644 --- a/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json +++ b/Tools/Create-Azure-Sentinel-Solution/V2/WorkbookMetadata/WorkbooksMetadata.json @@ -4590,12 +4590,10 @@ "ESIExchangeOnlineConfig_CL" ], "dataConnectorsDependencies": [ - "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents", "ESI-ExchangeOnlineCollector" ], "previewImagesFileNames": [], - "version": "1.0.0", + "version": "1.0.1", "title": "Microsoft Exchange Least Privilege with RBAC - Online", "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC - Online.json", "subtitle": "", @@ -4604,17 +4602,16 @@ { "workbookKey": "MicrosoftExchangeLeastPrivilegewithRBAC", "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment.", + "description": "This Workbook, dedicated to On-Premises environments is built to have a simple view of non-standard RBAC delegations on an On-Premises Exchange environment. This Workbook allow you to go deep dive on custom delegation and roles and also members of each delegation, including the nested level and the group imbrication on your environment. Required Data Connector: Exchange Security Insights On-Premises Collector.", "dataTypesDependencies": [ - "ESIExchangeOnlineConfig_CL" + "ESIExchangeConfig_CL" ], "dataConnectorsDependencies": [ "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents", - "ESI-ExchangeOnlineCollector" + "ESI-ExchangeAdminAuditLogEvents" ], "previewImagesFileNames": [], - "version": "1.0.0", + "version": "1.0.1", "title": "Microsoft Exchange Least Privilege with RBAC", "templateRelativePath": "Microsoft Exchange Least Privilege with RBAC.json", "subtitle": "", @@ -4623,17 +4620,16 @@ { "workbookKey": "MicrosoftExchangeSearchAdminAuditLog", "logoFileName": "Azure_Sentinel.svg", - "description": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment.", + "description": "This workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs to give you a simple way to view administrators’ activities in your Exchange environment with Cmdlets usage statistics and multiple pivots to understand who and/or what is affected to modifications on your environment. Required Data Connector: Exchange Audit Event logs via Legacy Agent.", "dataTypesDependencies": [ - "ESIExchangeOnlineConfig_CL" + "ESIExchangeConfig_CL" ], "dataConnectorsDependencies": [ "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents", - "ESI-ExchangeOnlineCollector" + "ESI-ExchangeAdminAuditLogEvents" ], "previewImagesFileNames": [], - "version": "1.0.0", + "version": "1.0.1", "title": "Microsoft Exchange Search AdminAuditLog", "templateRelativePath": "Microsoft Exchange Search AdminAuditLog.json", "subtitle": "", @@ -4642,17 +4638,16 @@ { "workbookKey": "MicrosoftExchangeSecurityMonitoring", "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers.", + "description": "This Workbook is dedicated to On-Premises Exchange organizations. It uses the MSExchange Management event logs and Microsoft Exchange Security configuration collected by data connectors. It helps to track admin actions, especially on VIP Users and/or on Sensitive Cmdlets. This workbook allows also to list Exchange Services changes, local account activities and local logon on Exchange Servers. Required Data Connector: Exchange Audit Event logs via Legacy Agent.", "dataTypesDependencies": [ - "ESIExchangeOnlineConfig_CL" + "ESIExchangeConfig_CL" ], "dataConnectorsDependencies": [ "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents", - "ESI-ExchangeOnlineCollector" + "ESI-ExchangeAdminAuditLogEvents" ], "previewImagesFileNames": [], - "version": "1.0.0", + "version": "1.0.1", "title": "Microsoft Exchange Admin Activity", "templateRelativePath": "Microsoft Exchange Admin Activity.json", "subtitle": "", @@ -4666,12 +4661,10 @@ "ESIExchangeOnlineConfig_CL" ], "dataConnectorsDependencies": [ - "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents", "ESI-ExchangeOnlineCollector" ], "previewImagesFileNames": [], - "version": "1.0.0", + "version": "1.0.1", "title": "Microsoft Exchange Security Review - Online", "templateRelativePath": "Microsoft Exchange Security Review - Online.json", "subtitle": "", @@ -4680,17 +4673,16 @@ { "workbookKey": "MicrosoftExchangeSecurityReview", "logoFileName": "Azure_Sentinel.svg", - "description": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks.", + "description": "This Workbook is dedicated to On-Premises Exchange organizations. It displays and highlights current Security configuration on various Exchange components including delegations, rights on databases, Exchange and most important AD Groups with members including nested groups, local administrators of servers. This workbook helps also to understand the transport configuration and the linked security risks. Required Data Connector: Exchange Security Insights On-Premises Collector.", "dataTypesDependencies": [ - "ESIExchangeOnlineConfig_CL" + "ESIExchangeConfig_CL" ], "dataConnectorsDependencies": [ "ESI-ExchangeOnPremisesCollector", - "ESI-ExchangeAdminAuditLogEvents", - "ESI-ExchangeOnlineCollector" + "ESI-ExchangeAdminAuditLogEvents" ], "previewImagesFileNames": [], - "version": "1.0.0", + "version": "1.0.1", "title": "Microsoft Exchange Security Review", "templateRelativePath": "Microsoft Exchange Security Review.json", "subtitle": "",