Skip to content

Commit

Permalink
Merge pull request Azure#8493 from VukaHeavyIndustries/master
Browse files Browse the repository at this point in the history
SpyCloud Enterprise Protection Initial Commit
  • Loading branch information
v-atulyadav authored Sep 18, 2023
2 parents 72fad79 + c3c933a commit c5886fc
Show file tree
Hide file tree
Showing 63 changed files with 14,819 additions and 0 deletions.
Original file line number Diff line number Diff line change
@@ -0,0 +1,117 @@
{
"Name": "SpyCloudBreachDataWatchlist_CL",
"Properties": [
{
"Name": "Document_Id_g",
"Type": "Guid"
},
{
"Name": "Domain_s",
"Type": "String"
},
{
"Name": "Email_s",
"Type": "String"
},
{
"Name": "IP_Address_s",
"Type": "String"
},
{
"Name": "Infected_Machine_Id",
"Type": "String"
},
{
"Name": "Infected_Machine_Id_g",
"Type": "Guid"
},
{
"Name": "Infected_Path_s",
"Type": "String"
},
{
"Name": "Infected_Time_t",
"Type": "DateTime"
},
{
"Name": "Password_s",
"Type": "String"
},
{
"Name": "Password_Plaintext_s",
"Type": "String"
},
{
"Name": "Severity_s",
"Type": "String"
},
{
"Name": "Source_Id_s",
"Type": "String"
},
{
"Name": "SpyCloud_Publish_Date_t",
"Type": "DateTime"
},
{
"Name": "Target_Domain_s",
"Type": "String"
},
{
"Name": "Target_SubDomain_s",
"Type": "String"
},
{
"Name": "Target_URL_s",
"Type": "String"
},
{
"Name": "User_Hostname_s",
"Type": "String"
},
{
"Name": "User_OS_s",
"Type": "String"
},
{
"Name": "Username_s",
"Type": "String"
},
{
"Name": "TenantID",
"Type": "String"
},
{
"Name": "SourceSystem",
"Type": "String"
},
{
"Name": "TimeGenerated",
"Type": "DateTime"
},
{
"Name": "Computer",
"Type": "String"
},
{
"Name": "MG",
"Type": "String"
},
{
"Name": "ManagementGroupName",
"Type": "String"
},
{
"Name": "RawData",
"Type": "String"
},
{
"Name": "Type",
"Type": "String"
},
{
"Name": "_ResourceId",
"Type": "String"
}
]
}
26 changes: 26 additions & 0 deletions Logos/SpyCloud_Enterprise_Protection.svg
Loading
Sorry, something went wrong. Reload?
Sorry, we cannot display this file.
Sorry, this file is invalid so it cannot be displayed.
81 changes: 81 additions & 0 deletions Sample Data/Custom/SpyCloudBreachDataWatchlist_CL.json
Original file line number Diff line number Diff line change
@@ -0,0 +1,81 @@
[{
"Document_Id": "a888d0f7-5688-471e-8230-8fd5ab903289",
"Domain": "example.net",
"Email": "sanitized@sanitized.com",
"IP_Address": "82.66.91.250",
"Infected_Machine_Id": "833ca19e-bb6e-4b42-867c-d4da26f5e47e",
"Infected_Path": "C:\\Users\\Pc\\AppData\\Local\\Temp\\Rar$EXb17664.13499\\Setup.exe",
"Infected_Time": "2022-05-26T00:19:15Z",
"Password": "password",
"Password_Plaintext": "password",
"Severity": "25",
"Source_Id": "45775",
"SpyCloud_Publish_Date": "2023-07-21T00:00:00Z",
"Target_Domain": "",
"Target_SubDomain": "",
"Target_URL": "127.0.0.1",
"User_Hostname": "DESKTOP-R9UHSL2",
"User_OS": "Windows 10 Pro [x64]",
"Username": ""
},
{
"Document_Id": "f4328f85-9d5d-4bdc-bd31-fb21844347eb",
"Domain": "example.net",
"Email": "sanitized@sanitized.com",
"IP_Address": "154.118.62.47",
"Infected_Machine_Id": "04a30194-1e78-4bbe-bbcf-927c5a7ff9a3",
"Infected_Path": "C:\\Windows\\SysWOW64\\explorer.exe",
"Infected_Time": "2021-11-10T21:52:27Z",
"Password": "password",
"Password_Plaintext": "password",
"Severity": "25",
"Source_Id": "45775",
"SpyCloud_Publish_Date": "2023-07-21T00:00:00Z",
"Target_Domain": "sidjisanggarrias.my.id",
"Target_SubDomain": "",
"Target_URL": "sidjisanggarrias.my.id",
"User_Hostname": "DESKTOP-I2737MG",
"User_OS": "Windows 10 Pro [x64]",
"Username": ""
},
{
"Document_Id": "62a47fd6-4c00-4e11-9ee1-d0d3f9b92d2a",
"Domain": "example.net",
"Email": "sanitized@sanitized.com",
"IP_Address": "41.199.16.142",
"Infected_Machine_Id": "40c31de2-d2ad-4f3b-9a7b-0506578cdd03",
"Infected_Path": "C:\\Users\\CHOICE COMPUTER\\Downloads\\pswd_9787_portable-setup\\Setup.exe",
"Infected_Time": "2023-01-27T21:50:06Z",
"Password": "Chancery1",
"Password_Plaintext": "Chancery1",
"Severity": "25",
"Source_Id": "45775",
"SpyCloud_Publish_Date": "2023-07-21T00:00:00Z",
"Target_Domain": "cytonn.com",
"Target_SubDomain": "stage.careers.cytonn.com",
"Target_URL": "stage.careers.cytonn.com",
"User_Hostname": "DESKTOP-R2LML9F",
"User_OS": "Windows 10 Pro [x64]",
"Username": ""
},
{
"Document_Id": "7720e6ec-ab63-441d-9b06-7551e45f8ca3",
"Domain": "example.net",
"Email": "sanitized@sanitized.com",
"IP_Address": "41.199.16.142",
"Infected_Machine_Id": "17ccfce3-b74f-4dbd-abd2-5f879caa7068",
"Infected_Path": "C:\\Windows\\SysWOW64\\explorer.exe",
"Infected_Time": "2021-02-11T01:45:46Z",
"Password": "password@admin$",
"Password_Plaintext": "password@admin$",
"Severity": "25",
"Source_Id": "45775",
"SpyCloud_Publish_Date": "2023-07-21T00:00:00Z",
"Target_Domain": "",
"Target_SubDomain": "",
"Target_URL": "127.0.0.1",
"User_Hostname": "DESKTOP-Q8BDVTN",
"User_OS": "Windows 10 Pro [x64]",
"Username": ""
}
]
Original file line number Diff line number Diff line change
@@ -0,0 +1,53 @@
id: cb410ad5-6e9d-4278-b963-1e3af205d680
name: SpyCloud Enterprise Breach Detection
description: |
'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'
severity: High
requiredDataConnectors: []
status: Available
queryFrequency: 12h
queryPeriod: 12h
triggerOperator: gt
triggerThreshold: 0
suppressionDuration: 5h
tactics:
- CredentialAccess
relevantTechniques:
- T1555
query: |
SpyCloudBreachDataWatchlist_CL
| where Severity_s == '20'
| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, IP_Address_s
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 12h
matchingMethod: AllEntities
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride: null
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Email_s
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Username_s
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IP_Address_s
customDetails:
Document_Id: Document_Id_g
Password: Password_s
Password_Plaintext: Password_Plaintext_s
Source_Id: Source_Id_s
Domain: Domain_s
PublishDate: SpyCloud_Publish_Date_t
sentinelEntitiesMappings: null
version: 1.0.0
kind: Scheduled
Original file line number Diff line number Diff line change
@@ -0,0 +1,68 @@
id: 7ba50f9e-2f94-462b-a54b-8642b8c041f5
name: SpyCloud Enterprise Malware Detection
description: |
'This alert creates an incident when an malware record is detected in the SpyCloud watchlist data'
severity: High
requiredDataConnectors: []
status: Available
queryFrequency: 12h
queryPeriod: 12h
triggerOperator: gt
triggerThreshold: 0
suppressionDuration: 5h
tactics:
- CredentialAccess
relevantTechniques:
- T1555
query: |
SpyCloudBreachDataWatchlist_CL
| where Severity_s == '25'
| project TimeGenerated, Document_Id_g, Source_Id_s, SpyCloud_Publish_Date_t, Email_s, Domain_s, Password_s, Password_Plaintext_s, Username_s, Infected_Machine_Id_g, Infected_Path_s, Infected_Time_t, Target_Domain_s, Target_SubDomain_s, User_Hostname_s, User_OS_s, Target_URL_s,IP_Address_s
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: true
reopenClosedIncident: false
lookbackDuration: 12h
matchingMethod: AllEntities
eventGroupingSettings:
aggregationKind: AlertPerResult
alertDetailsOverride: null
entityMappings:
- entityType: Host
fieldMappings:
- identifier: HostName
columnName: Infected_Machine_Id_g
- identifier: DnsDomain
columnName: User_Hostname_s
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Email_s
- identifier: Name
columnName: Username_s
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: Target_Domain_s
- entityType: DNS
fieldMappings:
- identifier: DomainName
columnName: Target_SubDomain_s
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IP_Address_s
customDetails:
Document_Id: Document_Id_g
Password: Password_s
Password_Plaintext: Password_Plaintext_s
Infected_Path: Infected_Path_s
Infected_Time: Infected_Time_t
Domain: Domain_s
Source_Id: Source_Id_s
PublishDate: SpyCloud_Publish_Date_t
User_Host_Name: User_Hostname_s
sentinelEntitiesMappings: null
version: 1.0.0
kind: Scheduled
Original file line number Diff line number Diff line change
@@ -0,0 +1,26 @@
{
"Name": "SpyCloud Enterprise Protection",
"Author": "SpyCloud",
"Logo": "<img src=\"https://raw.githubusercontent.com/azure/azure-sentinel/blob/master/Logos/SpyCloud_Enterprise_Protection.svg\" width=\"75\" height=\"75\" >",
"Description": "Cybercriminals continue to utilize stolen corporate credentials as the number one technique for account takeover (ATO). In fact, the FBI estimated that this resulted in estimated losses totaling more than $2.7 billion in 2022. SpyCloud helps prevent account takeover and ransomware attacks by identifying exposed credentials related to a company’s domains, IP addresses and emails. Through this integration, breach and malware data from SpyCloud can be loaded into Sentinel.",
"Playbooks": [
"Playbooks/Custom Connector/azuredeploy.json",
"Playbooks/SpyCloud-Breach-Playbook/azuredeploy.json",
"Playbooks/SpyCloud-Get-Domain-Breach-Data-Playbook/azuredeploy.json",
"Playbooks/SpyCloud-Get-Email-Breach-Data-Playbook/azuredeploy.json",
"Playbooks/SpyCloud-Get-IP-Breach-Data-Playbook/azuredeploy.json",
"Playbooks/SpyCloud-Get-Password-Breach-Data-Playbook/azuredeploy.json",
"Playbooks/SpyCloud-Get-Username-Breach-Data-Playbook/azuredeploy.json",
"Playbooks/SpyCloud-Malware-Playbook/azuredeploy.json",
"Playbooks/SpyCloud-Monitor-Watchlist-Data/azuredeploy.json"
],
"Analytic Rules": [
"Analytic Rules/SpyCloudEnterpriseProtectionBreachRule.yaml",
"Analytic Rules/SpyCloudEnterpriseProtectionMalwareRule.yaml"
],
"BasePath": "D:\\GitHub\\Azure-Sentinel\\Solutions\\SpyCloud Enterprise Protection",
"Version": "3.0.0",
"Metadata": "SolutionMetadata.json",
"TemplateSpec": true,
"Is1PConnector": false
}
Binary file not shown.
Loading

0 comments on commit c5886fc

Please sign in to comment.