forked from Azure/Azure-Sentinel
-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request Azure#8493 from VukaHeavyIndustries/master
SpyCloud Enterprise Protection Initial Commit
- Loading branch information
Showing
63 changed files
with
14,819 additions
and
0 deletions.
There are no files selected for viewing
117 changes: 117 additions & 0 deletions
117
.script/tests/KqlvalidationsTests/CustomTables/SpyCloudBreachDataWatchlist.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,117 @@ | ||
{ | ||
"Name": "SpyCloudBreachDataWatchlist_CL", | ||
"Properties": [ | ||
{ | ||
"Name": "Document_Id_g", | ||
"Type": "Guid" | ||
}, | ||
{ | ||
"Name": "Domain_s", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "Email_s", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "IP_Address_s", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "Infected_Machine_Id", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "Infected_Machine_Id_g", | ||
"Type": "Guid" | ||
}, | ||
{ | ||
"Name": "Infected_Path_s", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "Infected_Time_t", | ||
"Type": "DateTime" | ||
}, | ||
{ | ||
"Name": "Password_s", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "Password_Plaintext_s", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "Severity_s", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "Source_Id_s", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "SpyCloud_Publish_Date_t", | ||
"Type": "DateTime" | ||
}, | ||
{ | ||
"Name": "Target_Domain_s", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "Target_SubDomain_s", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "Target_URL_s", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "User_Hostname_s", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "User_OS_s", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "Username_s", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "TenantID", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "SourceSystem", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "TimeGenerated", | ||
"Type": "DateTime" | ||
}, | ||
{ | ||
"Name": "Computer", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "MG", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "ManagementGroupName", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "RawData", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "Type", | ||
"Type": "String" | ||
}, | ||
{ | ||
"Name": "_ResourceId", | ||
"Type": "String" | ||
} | ||
] | ||
} |
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,81 @@ | ||
[{ | ||
"Document_Id": "a888d0f7-5688-471e-8230-8fd5ab903289", | ||
"Domain": "example.net", | ||
"Email": "sanitized@sanitized.com", | ||
"IP_Address": "82.66.91.250", | ||
"Infected_Machine_Id": "833ca19e-bb6e-4b42-867c-d4da26f5e47e", | ||
"Infected_Path": "C:\\Users\\Pc\\AppData\\Local\\Temp\\Rar$EXb17664.13499\\Setup.exe", | ||
"Infected_Time": "2022-05-26T00:19:15Z", | ||
"Password": "password", | ||
"Password_Plaintext": "password", | ||
"Severity": "25", | ||
"Source_Id": "45775", | ||
"SpyCloud_Publish_Date": "2023-07-21T00:00:00Z", | ||
"Target_Domain": "", | ||
"Target_SubDomain": "", | ||
"Target_URL": "127.0.0.1", | ||
"User_Hostname": "DESKTOP-R9UHSL2", | ||
"User_OS": "Windows 10 Pro [x64]", | ||
"Username": "" | ||
}, | ||
{ | ||
"Document_Id": "f4328f85-9d5d-4bdc-bd31-fb21844347eb", | ||
"Domain": "example.net", | ||
"Email": "sanitized@sanitized.com", | ||
"IP_Address": "154.118.62.47", | ||
"Infected_Machine_Id": "04a30194-1e78-4bbe-bbcf-927c5a7ff9a3", | ||
"Infected_Path": "C:\\Windows\\SysWOW64\\explorer.exe", | ||
"Infected_Time": "2021-11-10T21:52:27Z", | ||
"Password": "password", | ||
"Password_Plaintext": "password", | ||
"Severity": "25", | ||
"Source_Id": "45775", | ||
"SpyCloud_Publish_Date": "2023-07-21T00:00:00Z", | ||
"Target_Domain": "sidjisanggarrias.my.id", | ||
"Target_SubDomain": "", | ||
"Target_URL": "sidjisanggarrias.my.id", | ||
"User_Hostname": "DESKTOP-I2737MG", | ||
"User_OS": "Windows 10 Pro [x64]", | ||
"Username": "" | ||
}, | ||
{ | ||
"Document_Id": "62a47fd6-4c00-4e11-9ee1-d0d3f9b92d2a", | ||
"Domain": "example.net", | ||
"Email": "sanitized@sanitized.com", | ||
"IP_Address": "41.199.16.142", | ||
"Infected_Machine_Id": "40c31de2-d2ad-4f3b-9a7b-0506578cdd03", | ||
"Infected_Path": "C:\\Users\\CHOICE COMPUTER\\Downloads\\pswd_9787_portable-setup\\Setup.exe", | ||
"Infected_Time": "2023-01-27T21:50:06Z", | ||
"Password": "Chancery1", | ||
"Password_Plaintext": "Chancery1", | ||
"Severity": "25", | ||
"Source_Id": "45775", | ||
"SpyCloud_Publish_Date": "2023-07-21T00:00:00Z", | ||
"Target_Domain": "cytonn.com", | ||
"Target_SubDomain": "stage.careers.cytonn.com", | ||
"Target_URL": "stage.careers.cytonn.com", | ||
"User_Hostname": "DESKTOP-R2LML9F", | ||
"User_OS": "Windows 10 Pro [x64]", | ||
"Username": "" | ||
}, | ||
{ | ||
"Document_Id": "7720e6ec-ab63-441d-9b06-7551e45f8ca3", | ||
"Domain": "example.net", | ||
"Email": "sanitized@sanitized.com", | ||
"IP_Address": "41.199.16.142", | ||
"Infected_Machine_Id": "17ccfce3-b74f-4dbd-abd2-5f879caa7068", | ||
"Infected_Path": "C:\\Windows\\SysWOW64\\explorer.exe", | ||
"Infected_Time": "2021-02-11T01:45:46Z", | ||
"Password": "password@admin$", | ||
"Password_Plaintext": "password@admin$", | ||
"Severity": "25", | ||
"Source_Id": "45775", | ||
"SpyCloud_Publish_Date": "2023-07-21T00:00:00Z", | ||
"Target_Domain": "", | ||
"Target_SubDomain": "", | ||
"Target_URL": "127.0.0.1", | ||
"User_Hostname": "DESKTOP-Q8BDVTN", | ||
"User_OS": "Windows 10 Pro [x64]", | ||
"Username": "" | ||
} | ||
] |
53 changes: 53 additions & 0 deletions
53
...SpyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,53 @@ | ||
id: cb410ad5-6e9d-4278-b963-1e3af205d680 | ||
name: SpyCloud Enterprise Breach Detection | ||
description: | | ||
'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data' | ||
severity: High | ||
requiredDataConnectors: [] | ||
status: Available | ||
queryFrequency: 12h | ||
queryPeriod: 12h | ||
triggerOperator: gt | ||
triggerThreshold: 0 | ||
suppressionDuration: 5h | ||
tactics: | ||
- CredentialAccess | ||
relevantTechniques: | ||
- T1555 | ||
query: | | ||
SpyCloudBreachDataWatchlist_CL | ||
| where Severity_s == '20' | ||
| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s | ||
incidentConfiguration: | ||
createIncident: true | ||
groupingConfiguration: | ||
enabled: true | ||
reopenClosedIncident: false | ||
lookbackDuration: 12h | ||
matchingMethod: AllEntities | ||
eventGroupingSettings: | ||
aggregationKind: AlertPerResult | ||
alertDetailsOverride: null | ||
entityMappings: | ||
- entityType: Account | ||
fieldMappings: | ||
- identifier: FullName | ||
columnName: Email_s | ||
- entityType: Account | ||
fieldMappings: | ||
- identifier: Name | ||
columnName: Username_s | ||
- entityType: IP | ||
fieldMappings: | ||
- identifier: Address | ||
columnName: IP_Address_s | ||
customDetails: | ||
Document_Id: Document_Id_g | ||
Password: Password_s | ||
Password_Plaintext: Password_Plaintext_s | ||
Source_Id: Source_Id_s | ||
Domain: Domain_s | ||
PublishDate: SpyCloud_Publish_Date_t | ||
sentinelEntitiesMappings: null | ||
version: 1.0.0 | ||
kind: Scheduled |
68 changes: 68 additions & 0 deletions
68
...pyCloud Enterprise Protection/Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,68 @@ | ||
id: 7ba50f9e-2f94-462b-a54b-8642b8c041f5 | ||
name: SpyCloud Enterprise Malware Detection | ||
description: | | ||
'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data' | ||
severity: High | ||
requiredDataConnectors: [] | ||
status: Available | ||
queryFrequency: 12h | ||
queryPeriod: 12h | ||
triggerOperator: gt | ||
triggerThreshold: 0 | ||
suppressionDuration: 5h | ||
tactics: | ||
- CredentialAccess | ||
relevantTechniques: | ||
- T1555 | ||
query: | | ||
SpyCloudBreachDataWatchlist_CL | ||
| where Severity_s == '25' | ||
| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s | ||
incidentConfiguration: | ||
createIncident: true | ||
groupingConfiguration: | ||
enabled: true | ||
reopenClosedIncident: false | ||
lookbackDuration: 12h | ||
matchingMethod: AllEntities | ||
eventGroupingSettings: | ||
aggregationKind: AlertPerResult | ||
alertDetailsOverride: null | ||
entityMappings: | ||
- entityType: Host | ||
fieldMappings: | ||
- identifier: HostName | ||
columnName: Infected_Machine_Id_g | ||
- identifier: DnsDomain | ||
columnName: User_Hostname_s | ||
- entityType: Account | ||
fieldMappings: | ||
- identifier: FullName | ||
columnName: Email_s | ||
- identifier: Name | ||
columnName: Username_s | ||
- entityType: DNS | ||
fieldMappings: | ||
- identifier: DomainName | ||
columnName: Target_Domain_s | ||
- entityType: DNS | ||
fieldMappings: | ||
- identifier: DomainName | ||
columnName: Target_SubDomain_s | ||
- entityType: IP | ||
fieldMappings: | ||
- identifier: Address | ||
columnName: IP_Address_s | ||
customDetails: | ||
Document_Id: Document_Id_g | ||
Password: Password_s | ||
Password_Plaintext: Password_Plaintext_s | ||
Infected_Path: Infected_Path_s | ||
Infected_Time: Infected_Time_t | ||
Domain: Domain_s | ||
Source_Id: Source_Id_s | ||
PublishDate: SpyCloud_Publish_Date_t | ||
User_Host_Name: User_Hostname_s | ||
sentinelEntitiesMappings: null | ||
version: 1.0.0 | ||
kind: Scheduled |
26 changes: 26 additions & 0 deletions
26
Solutions/SpyCloud Enterprise Protection/Data/Solution_Spycloud_Enterprise_Protection.json
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,26 @@ | ||
{ | ||
"Name": "SpyCloud Enterprise Protection", | ||
"Author": "SpyCloud", | ||
"Logo": "<img src=\"https://raw.githubusercontent.com/azure/azure-sentinel/blob/master/Logos/SpyCloud_Enterprise_Protection.svg\" width=\"75\" height=\"75\" >", | ||
"Description": "Cybercriminals continue to utilize stolen corporate credentials as the number one technique for account takeover (ATO). In fact, the FBI estimated that this resulted in estimated losses totaling more than $2.7 billion in 2022. SpyCloud helps prevent account takeover and ransomware attacks by identifying exposed credentials related to a company’s domains, IP addresses and emails. Through this integration, breach and malware data from SpyCloud can be loaded into Sentinel.", | ||
"Playbooks": [ | ||
"Playbooks/Custom Connector/azuredeploy.json", | ||
"Playbooks/SpyCloud-Breach-Playbook/azuredeploy.json", | ||
"Playbooks/SpyCloud-Get-Domain-Breach-Data-Playbook/azuredeploy.json", | ||
"Playbooks/SpyCloud-Get-Email-Breach-Data-Playbook/azuredeploy.json", | ||
"Playbooks/SpyCloud-Get-IP-Breach-Data-Playbook/azuredeploy.json", | ||
"Playbooks/SpyCloud-Get-Password-Breach-Data-Playbook/azuredeploy.json", | ||
"Playbooks/SpyCloud-Get-Username-Breach-Data-Playbook/azuredeploy.json", | ||
"Playbooks/SpyCloud-Malware-Playbook/azuredeploy.json", | ||
"Playbooks/SpyCloud-Monitor-Watchlist-Data/azuredeploy.json" | ||
], | ||
"Analytic Rules": [ | ||
"Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml", | ||
"Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml" | ||
], | ||
"BasePath": "D:\\GitHub\\Azure-Sentinel\\Solutions\\SpyCloud Enterprise Protection", | ||
"Version": "3.0.0", | ||
"Metadata": "SolutionMetadata.json", | ||
"TemplateSpec": true, | ||
"Is1PConnector": false | ||
} |
Binary file not shown.
Oops, something went wrong.